cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Taariq Levack <taar...@gmail.com>
Subject CXF and Spring for Authentication and Authorization
Date Fri, 03 Feb 2012 05:45:20 GMT
Hi

I have an existing web app using Spring Security and LDAP for
authentication and authorization.
Now we want some web services to be secured using UsernameToken and SSL.

I also want it to reuse the existing spring method level security, this
user's role cannot use commit() for instance, this seems easy enough with
the SecureAnnotationsInterceptor.

I've also noticed in the new CXF that the password must be supplied to be
evaluated, rather than it being provided
for authentication.
Now I can look up the password in LDAP, but aside from it not being
plaintext like the web service user,
it doesn't perform a login on LDAP of course and we'd like that history of
logins and everything else LDAP provides.

There's a project called
cxf-spring-security<http://code.google.com/p/cxf-spring-security/>which
hasn't been touched for a long time, I don't know if it's been
integrated
into CXF yet or will be.

The CXF security docs[1] say you can use  a custom
"AbstractUsernameTokenInterceptor" and postpost the validation of the
username token with "ws-security.ut.no-callbacks" and then do the custom
authentication and Subject creation, but this class no longer exists, at
least not in trunk nor the 2.4.4 release I'm using at the moment. I do have
wss4j in the pom too.

I also see the JAASLoginInterceptor in the docs but I'm using the
LdapAuthenticationProvider and not a JAAS provider so I don't think that's
relevant yet, but correct me if I'm wrong please.

So to sum up I can use the callback no problem, but I don't see how I'm
supposed to perform login yet.
And once authenticated, I need the security context populated so that
Spring can do method level security, but maybe here I'm misunderstanding
and CXF is going to do this using SimpleAuthorizingInterceptor, which is
populated instead from whatever SpringSecurity returns after authentication.

[1] http://cxf.apache.org/docs/security.html

Thanks in advance,
Taariq

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message