cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mickael Marrache <Mickael.Marra...@xconnect.net>
Subject RE: Authorization with CXF and WSS4J?
Date Fri, 31 Aug 2012 08:56:41 GMT
Hi Andrei,

The statement List<String> userRoles = userRolesMap.get(sc.getUserPrincipal().getName());
present in SimpleAuthorizingInterceptor at line 44 is never called in my configuration. This
is because the method isUserInRole defined in AbstractAuthorizingInterceptor is called just
before (line 39 of SimpleAuthorizingInterceptor) and return false, so the isUserInRole method
of SimpleAuthorizingInterceptor always returns false at line 40.

In fact, the map userRolesMap is never used in my configuration because isUserInRole returns
before using it.

Mickael


-----Message d'origine-----
De : Andrei Shakirin [mailto:ashakirin@talend.com] 
Envoyé : vendredi 31 août 2012 11:10
À : users@cxf.apache.org
Objet : RE: Authorization with CXF and WSS4J?

Hi Mickael,

>After authentication takes place using the WSS4JInInterceptor, the handleMessage method
of SimpleAuthorizingInterceptor is invoked. I don't 
>understand why this configuration doesn't work. After authentication is done, we know
who is the caller according the the information present in its 
>certificate. Then, I would expect the userRolesMap to be used, so that we can know what
is(are) the role(s) associated to this caller. And then, 
>according to these caller's associated roles and the invoked method's associated role,
we are able to say that the caller is authorized or not. I don't
 >understand what SAML comes to solve here. Also, I still don't understand what is the
meaning of sending my role(s) as a caller, this is something 
>that should be determined by the server.

Basically your configuration should work.
Possible issue is that sc.getUserPrincipal().getName() is not the same as configured user
names: "client" and "admin".
It causes empty userRoles list from configured map in SimpleAuthorizingInInterceptor:
            List<String> userRoles = userRolesMap.get(sc.getUserPrincipal().getName());
   
Could you check it in debugger?

Regards,
Andrei.

-----Message d'origine-----
De : Andrei Shakirin [mailto:ashakirin@talend.com] Envoyé : jeudi 30 août 2012 17:19 À :
users@cxf.apache.org Objet : RE: Authorization with CXF and WSS4J?

Hi Mickael,

>I know that I'm missing something here related to the 
>TAG_SAML_ASSERTION. Maybe the caller has to provide its role inside the 
>SOAP message? If yes, I don't understand why, the caller should only know its identity,
the roles is more for the server side which checks if the caller's identity is associated
to an expected roles.

Yep, correct.
SAML has extensions mechanism, where it is possible to define additional attribute statements.

In some scenarios it is really the case that STS service not only authenticate the user and
issues SAML token with Authentication statement, but also maps user to role and inserts role
as attribute statement in SAML. STS service has appropriate claims/attribute statements extensions
points to do it (see as sample http://svn.apache.org/repos/asf/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/common/CustomClaimsHandler.java
).
Therefore WSS4JInInterceptors tries to get roles from the SAML.

You can follow this approach and extend STS to do user -> roles mapping.
Other option is to do it in own interceptor. As basis you can look JAASLoginInterceptor and
RolePrefixedSecurityContextImpl that just adds ROLE_ prefix to user name and interprets it
as role (http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/JAASLoginInterceptor.java
).

Regards,
Andrei.


-----Original Message-----
From: Mickael Marrache [mailto:Mickael.Marrache@xconnect.net]
Sent: Donnerstag, 30. August 2012 13:26
To: users@cxf.apache.org
Subject: RE: Authorization with CXF and WSS4J?

Hi Andrei,

Thanks for your helpful answer.

I'm trying to use the Interceptors provided by CXF but I get the following issue:

In the WSS4JInInterceptor, when the method doResults is called to construct the security result,
at line 482, the condition o.get(WSSecurityEngineResult.TAG_SAML_ASSERTION) != null is false
for me, so the createSecurityContext method is called without the roles (which causes to call
createSecurityContext with null roles). So, when sc.isUserInRole(role) is called in AbstractAuthorizingInterceptor
at line 100, it always returns false, so the call to isUserInRole(sc, expectedRoles, false)
in AbstractAuthorizingInterceptor at line 84 also returns false, and the client is then never
authorized.

I know that I'm missing something here related to the TAG_SAML_ASSERTION. Maybe the caller
has to provide its role inside the SOAP message? If yes, I don't understand why, the caller
should only know its identity, the roles is more for the server side which checks if the caller's
identity is associated to an expected roles.

Thanks,
Mickael 

-----Original Message-----
From: Andrei Shakirin [mailto:ashakirin@talend.com]
Sent: Wednesday, August 29, 2012 4:36 PM
To: users@cxf.apache.org
Subject: RE: Authorization with CXF and WSS4J?

Hi Mickael,

You can use CXF AbstractAuthorizingInInterceptor and SimpleAuthorizingInInterceptor as basis:
http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java

Idea is the following: SimpleAuthorizingInInterceptor is configured with methods-roles map.
Interceptor validates does user in given role have permissions to accessing method.

There is the sample configuration in
http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml

It can be a good starting point for your task.

Regards,
Andrei.

-----Original Message-----
From: Mickael Marrache [mailto:Mickael.Marrache@xconnect.net]
Sent: Mittwoch, 29. August 2012 10:39
To: users@cxf.apache.org
Subject: Authorization with CXF and WSS4J?

Hi,

I'm looking for a way to implement web service authorization with CXF but I can't find anything
on the CXF documentation, nor on the web. I would like to define roles, and to specify for
each web method which roles are authorized...
I've looked at the different WS-* support in the doc, especially WS-Security, WS-SecurityPolicy
and WS-Policy but I don't understand how these can be use for authorization.

Please, provide me some links in the case it is possible.

Thanks

Mime
View raw message