cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: Authorization with CXF and WSS4J?
Date Mon, 03 Sep 2012 16:07:59 GMT
Hi Andrei
On 03/09/12 16:02, Andrei Shakirin wrote:
> Hi Sergey,
>
>> I wonder, should the original SecurityContext properly populated instead ? If it
is a 2-way TLS, should the roles population be managed at say the Tomcat level ?
>
> Normally yes, but I see some use cases (for example authentication via SAML token without
TSL and role claims), where SecurityContext contains only user principle, not roles.
> I will be nice if SimpleAuthorizingInInterceptor can take into account only configured
roles in this case. I will prepare corresponded patch.
>
Sounds good, thanks for contributing yet another useful patch :-)

I reckon AbstractAuthorizingInInterceptor can also be tightened a bit to 
make sure SecurityContext has, at the very least, an initialized Principle,

I'll work on applying the patch in the next few days

Cheers, Sergey

> Regards,
> Andrei.
>
> -----Original Message-----
> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
> Sent: Montag, 3. September 2012 13:09
> To: users@cxf.apache.org
> Cc: Andrei Shakirin
> Subject: Re: Authorization with CXF and WSS4J?
>
> Hi All,
>
> On 31/08/12 10:38, Andrei Shakirin wrote:
>> Hi Mickael,
>>
>> You are right, in current version SimpleAuthorizingInterceptor works only with prepared
SecurityContext (with resolved roles).
>
> Yes, the precondition is that SecurityContext holds all the information
> - if it does not then it can not be overridden
>
>> Configured user roles map is checked only additionally to roles in context. You can
restrict access in configuration, but could not extend it.
>
> Yes. I've added 'userRolesMap' while working on SAML authorization tests (in scope of
the JAX-RS security project).
>
> We have an assertion coming in with claims allocating one or more roles to the current
Subject, these claims/roles are captured within the current SecurityContext  - and SimpleAuthorizingInterceptor
will only let the request pass if the current SecurityContext returns true from its isUserInRole.
> Now, given that all the claims are coming from the remote entity (IDP, possibly indirectly)
and these roles belong to Subject irespectively of what resource method the Subject ultimately
invokes, it may make sense to restrict the roles info in the context of the given resource
method invocation to a limited sub-set - guess something like that can be done in the future
with the access management tool.
>
> So, userRolesMap is there to restrict the current SecurityContext
>
>>    From my perspective it makes sense to add Boolean configuration option into SimpleAuthorizingInInterceptor
( like checkConfiguredRolesOnly). If it is activated, SimpleAuthorizingInterceptor will check
only configured roles, not Security Context. By default option should be switched off.
>>
>
> I wonder, should the original SecurityContext properly populated instead ? If it is a
2-way TLS, should the roles population be managed at say the Tomcat level ?
>
>> Now you have following options:
>> 1) Set up your SecurityContext with appropriate roles.
>>        1.1) In SecurityTokenService
>>        1.2) In your interceptor (like JAASLoginInterceptor.java)
>> 2) Subclass  AbstractAuthorizingInInterceptor with own one, and implement isUserInRole()
method that doesn't call super.isUserInRole().
>
> Indeed, it's always possible to override/customize
>
> Thanks, Sergey
>
>>
>> Regards,
>> Andrei.
>>
>> -----Original Message-----
>> From: Mickael Marrache [mailto:Mickael.Marrache@xconnect.net]
>> Sent: Freitag, 31. August 2012 10:57
>> To: users@cxf.apache.org
>> Subject: RE: Authorization with CXF and WSS4J?
>>
>> Hi Andrei,
>>
>> The statement List<String>   userRoles = userRolesMap.get(sc.getUserPrincipal().getName());
present in SimpleAuthorizingInterceptor at line 44 is never called in my configuration. This
is because the method isUserInRole defined in AbstractAuthorizingInterceptor is called just
before (line 39 of SimpleAuthorizingInterceptor) and return false, so the isUserInRole method
of SimpleAuthorizingInterceptor always returns false at line 40.
>>
>> In fact, the map userRolesMap is never used in my configuration because isUserInRole
returns before using it.
>>
>> Mickael
>>
>>
>> -----Message d'origine-----
>> De : Andrei Shakirin [mailto:ashakirin@talend.com] Envoyé : vendredi 31 août 2012
11:10 À : users@cxf.apache.org Objet : RE: Authorization with CXF and WSS4J?
>>
>> Hi Mickael,
>>
>>> After authentication takes place using the WSS4JInInterceptor, the
>>> handleMessage method of SimpleAuthorizingInterceptor is invoked. I
>>> don't understand why this configuration doesn't work. After
>>> authentication is done, we know who is the caller according the the
>>> information present in its certificate. Then, I would expect the
>>> userRolesMap to be used, so that we can know what is(are) the role(s)
>>> associated to this caller. And then, according to these caller's
>>> associated roles and the invoked method's associated role, we are
>>> able to say that the caller is authorized or not. I don't
>>    >understand what SAML comes to solve here. Also, I still don't
>> understand what is the meaning of sending my role(s) as a caller, this
>> is something
>>> that should be determined by the server.
>>
>> Basically your configuration should work.
>> Possible issue is that sc.getUserPrincipal().getName() is not the same as configured
user names: "client" and "admin".
>> It causes empty userRoles list from configured map in SimpleAuthorizingInInterceptor:
>>               List<String>   userRoles =
>> userRolesMap.get(sc.getUserPrincipal().getName());
>> Could you check it in debugger?
>>
>> Regards,
>> Andrei.
>>
>> -----Message d'origine-----
>> De : Andrei Shakirin [mailto:ashakirin@talend.com] Envoyé : jeudi 30 août 2012
17:19 À : users@cxf.apache.org Objet : RE: Authorization with CXF and WSS4J?
>>
>> Hi Mickael,
>>
>>> I know that I'm missing something here related to the
>>> TAG_SAML_ASSERTION. Maybe the caller has to provide its role inside
>>> the SOAP message? If yes, I don't understand why, the caller should only know
its identity, the roles is more for the server side which checks if the caller's identity
is associated to an expected roles.
>>
>> Yep, correct.
>> SAML has extensions mechanism, where it is possible to define additional attribute
statements.
>> In some scenarios it is really the case that STS service not only authenticate the
user and issues SAML token with Authentication statement, but also maps user to role and inserts
role as attribute statement in SAML. STS service has appropriate claims/attribute statements
extensions points to do it (see as sample http://svn.apache.org/repos/asf/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/common/CustomClaimsHandler.java
).
>> Therefore WSS4JInInterceptors tries to get roles from the SAML.
>>
>> You can follow this approach and extend STS to do user ->   roles mapping.
>> Other option is to do it in own interceptor. As basis you can look JAASLoginInterceptor
and RolePrefixedSecurityContextImpl that just adds ROLE_ prefix to user name and interprets
it as role (http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/JAASLoginInterceptor.java
).
>>
>> Regards,
>> Andrei.
>>
>>
>> -----Original Message-----
>> From: Mickael Marrache [mailto:Mickael.Marrache@xconnect.net]
>> Sent: Donnerstag, 30. August 2012 13:26
>> To: users@cxf.apache.org
>> Subject: RE: Authorization with CXF and WSS4J?
>>
>> Hi Andrei,
>>
>> Thanks for your helpful answer.
>>
>> I'm trying to use the Interceptors provided by CXF but I get the following issue:
>>
>> In the WSS4JInInterceptor, when the method doResults is called to construct the security
result, at line 482, the condition o.get(WSSecurityEngineResult.TAG_SAML_ASSERTION) != null
is false for me, so the createSecurityContext method is called without the roles (which causes
to call createSecurityContext with null roles). So, when sc.isUserInRole(role) is called in
AbstractAuthorizingInterceptor at line 100, it always returns false, so the call to isUserInRole(sc,
expectedRoles, false) in AbstractAuthorizingInterceptor at line 84 also returns false, and
the client is then never authorized.
>>
>> I know that I'm missing something here related to the TAG_SAML_ASSERTION. Maybe the
caller has to provide its role inside the SOAP message? If yes, I don't understand why, the
caller should only know its identity, the roles is more for the server side which checks if
the caller's identity is associated to an expected roles.
>>
>> Thanks,
>> Mickael
>>
>> -----Original Message-----
>> From: Andrei Shakirin [mailto:ashakirin@talend.com]
>> Sent: Wednesday, August 29, 2012 4:36 PM
>> To: users@cxf.apache.org
>> Subject: RE: Authorization with CXF and WSS4J?
>>
>> Hi Mickael,
>>
>> You can use CXF AbstractAuthorizingInInterceptor and SimpleAuthorizingInInterceptor
as basis:
>> http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apach
>> e/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
>> http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apach
>> e/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
>>
>> Idea is the following: SimpleAuthorizingInInterceptor is configured with methods-roles
map. Interceptor validates does user in given role have permissions to accessing method.
>>
>> There is the sample configuration in
>> http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/resourc
>> es/jaxrs_jaas_security/WEB-INF/beans.xml
>>
>> It can be a good starting point for your task.
>>
>> Regards,
>> Andrei.
>>
>> -----Original Message-----
>> From: Mickael Marrache [mailto:Mickael.Marrache@xconnect.net]
>> Sent: Mittwoch, 29. August 2012 10:39
>> To: users@cxf.apache.org
>> Subject: Authorization with CXF and WSS4J?
>>
>> Hi,
>>
>> I'm looking for a way to implement web service authorization with CXF but I can't
find anything on the CXF documentation, nor on the web. I would like to define roles, and
to specify for each web method which roles are authorized...
>> I've looked at the different WS-* support in the doc, especially WS-Security, WS-SecurityPolicy
and WS-Policy but I don't understand how these can be use for authorization.
>>
>> Please, provide me some links in the case it is possible.
>>
>> Thanks
>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com


Mime
View raw message