cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: HTTP Basic CXF Interceptor with BasicAuthAuthorizationInterceptor
Date Tue, 14 Jun 2011 12:14:37 GMT
>
> No problem:) Ok I have implemented this feature. Now I tell me if
> SecurityContext should be implemented (if Principal is null) for Basic
> Interceptor like JAASLoginInterceptor which put a SecurityContext. The only
> question is how set roles? But if we do that we could use
> afterSimpleAuthorizingInterceptor

You can use org.apache.cxf.common.security.SimplePrincipal just to
wrap up a principal name.
DefaultSecurityContext (roles represented as Groups,
org.apache.cxf.common.security.SimpleGroup helper is there) and
RolePrefixSecurityContextImls (role names start with some prefix like
ROLE_) can be used to provide a SecurityContext on a current message.
They all expect a Subject instance which you can easily create with
the help of SimplePrincipal (and SimpleGroup if needed)

Cheers, Sergey


>
> Regards Angelo
>
>
>> On Tue, Jun 14, 2011 at 10:54 AM, Angelo zerr <angelo.zerr@gmail.com>
>> wrote:
>> > Ok I believe understand your idea about realm. I have added a setter in
>> my
>> > Interceptor :
>> >
>> > AbstractBasicAuthAuthorizationInterceptor#setRealName(String realName)
>> which
>> > compute WWW-Authenticate.
>> > Ex : AbstractBasicAuthAuthorizationInterceptor#setRealName("MyRealm")
>> will
>> > returns
>> >
>> > WWW-Authenticate: Basic realm="MyRealm"
>> >
>> > If no realm defined,  WWW-Authenticate is not returned. Is that your
>> idea?
>> > WWW-Authenticate is not required? Do you think we should set a default
>> value
>> > for Realm?
>> >
>> > Regards Angelo
>> >
>> > 2011/6/14 Angelo zerr <angelo.zerr@gmail.com>
>> >
>> >> Hi Sergey,
>> >>
>> >> 2011/6/14 Sergey Beryozkin <sberyozkin@gmail.com>
>> >>
>> >>> Hi
>> >>>
>> >>> That interceptor should be more neutral, should' not extend a SOAP
>> >>> interceptor.
>> >>>
>> >>
>> >> Ok, I have done like JAASLoginInterceptor (extends
>> >> AbstractPhaseInterceptor<Message> + constructor initialized with
>> >> super(Phase.UNMARSHAL);) and it works.
>> >>
>> >>
>> >>> The other thing you may want to do is to configure it with a realm
>> >>> name and if it's not set then
>> >>> do not add a realm parameter to the response.
>> >>>
>> >>
>> >> Could you explain me more your idea please.
>> >>
>> >>
>> >>>
>> >>> FYI, CXF ships JAASLoginInterceptor - which will check if Basic (or
>> >>> other similar HTTP Authorization type was set)
>> >>> and then will delegate to JAAS to do the actual authentication:
>> >>> http://cxf.apache.org/docs/security.html#Security-Authentication
>> >>>
>> >>> I propose that you create a patch in rt/core,
>> >>> org.apache.cxf.interceptor.security package, that will make it easier
>> >>> for me to move the relevant code to a rt/security module
>> >>>
>> >>
>> >> My first idea is to create a WTP sample application with my code (I have
>> >> created org.apache.cxf.interceptor.security.basic package) and send you
>> with
>> >> sample which work.
>> >>  After I could create a patch if you need.
>> >>
>> >> Regards Angelo
>> >>
>> >>>
>> >>> Thanks, Sergey
>> >>>
>> >>> On Tue, Jun 14, 2011 at 7:38 AM, Angelo zerr <angelo.zerr@gmail.com>
>> >>> wrote:
>> >>> > Hi Freeman,
>> >>> >
>> >>> > Thank a lot for your answer. I will prepare you a contribution
and
>> send
>> >>> you.
>> >>> >
>> >>> > Regards Angelo
>> >>> >
>> >>> > 2011/6/14 Freeman Fang <freeman.fang@gmail.com>
>> >>> >
>> >>> >> Hi,
>> >>> >>
>> >>> >> Sure, any contribution is welcome.
>> >>> >>
>> >>> >> And in CXF we also can use jetty security handler to enable
basic
>> auth
>> >>> >> which can configure the realm easily, we have a system testcase
for
>> >>> it[1],
>> >>> >> you may wanna take a look.
>> >>> >>
>> >>> >> [1]
>> >>> >>
>> >>>
>> https://svn.apache.org/repos/asf/cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/JettyBasicAuthTest.java
>> >>> >> Freeman
>> >>> >>
>> >>> >> On 2011-6-13, at 下午11:34, Angelo zerr wrote:
>> >>> >>
>> >>> >>  Hi CXF Team,
>> >>> >>>
>> >>> >>> I would like to manage WebService with HTTP Basic CXF Interceptor
>> and
>> >>> I
>> >>> >>> have
>> >>> >>> not found this interceptor in the CXF. So I have used the
great
>> code
>> >>> from
>> >>> >>>
>> >>> >>>
>> >>>
>> http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/and
>> >>> >>> it works great.
>> >>> >>> I have noticed that some projects like
>> >>> >>>
>> >>> >>>
>> >>>
>> http://code.google.com/p/fenius/source/browse/trunk/fenius-util/src/main/java/is/glif/fenius/util/BasicAuthAuthorizationInterceptor.java?r=111have
>> >>> >>> used this code and I tell me why CXF doesn't include the
>> >>> >>> BasicAuthAuthorizationInterceptor class?
>> >>> >>>
>> >>> >>> I have modified BasicAuthAuthorizationInterceptor to delegate
>> >>> >>> user/password
>> >>> >>> to another interface implementation and if you wish I could
send
>> you
>> >>> my
>> >>> >>> work
>> >>> >>> and tell to the author of the BasicAuthAuthorizationInterceptor
if
>> he
>> >>> is
>> >>> >>> OK
>> >>> >>> to contribute to CXF.
>> >>> >>>
>> >>> >>> Thank a lot for your answer.
>> >>> >>>
>> >>> >>> Regards Angelo
>> >>> >>>
>> >>> >>
>> >>> >> ---------------------------------------------
>> >>> >> Freeman Fang
>> >>> >>
>> >>> >> FuseSource
>> >>> >> Email:ffang@fusesource.com
>> >>> >> Web: fusesource.com
>> >>> >> Twitter: freemanfang
>> >>> >> Blog: http://freemanfang.blogspot.com
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >
>> >>>
>> >>
>> >>
>> >
>>
>>
>>
>> --
>> Sergey Beryozkin
>>
>> Application Integration Division of Talend
>> http://sberyozkin.blogspot.com
>>
>

Mime
View raw message