Return-Path: 
 <users-return-38812-apmail-cxf-users-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-users-archive@www.apache.org
Delivered-To: apmail-cxf-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B3AC9EAAB
	for <apmail-cxf-users-archive@www.apache.org>;
 Mon, 25 Feb 2013 09:55:09 +0000 (UTC)
Received: (qmail 54365 invoked by uid 500); 25 Feb 2013 09:55:08 -0000
Delivered-To: apmail-cxf-users-archive@cxf.apache.org
Received: (qmail 54317 invoked by uid 500); 25 Feb 2013 09:55:08 -0000
Mailing-List: contact users-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@cxf.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@cxf.apache.org>
List-Post: <mailto:users@cxf.apache.org>
List-Id: <users.cxf.apache.org>
Reply-To: users@cxf.apache.org
Delivered-To: mailing list users@cxf.apache.org
Received: (qmail 54260 invoked by uid 99); 25 Feb 2013 09:55:06 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Feb 2013 09:55:06 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of freeman.fang@gmail.com
 designates 209.85.220.41 as permitted sender)
Received: from [209.85.220.41] (HELO mail-pa0-f41.google.com) (209.85.220.41)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Feb 2013 09:54:59 +0000
Received: by mail-pa0-f41.google.com with SMTP id fb11so1675811pad.14
        for <users@cxf.apache.org>; Mon, 25 Feb 2013 01:54:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:from:mime-version:content-type:subject:date:in-reply-to
         :to:references:message-id:x-mailer;
        bh=074bUoVUHnsEzTumbTf77bd6IWcokZbquUGzxg2vnW4=;
        b=sOh5OkYvcqvtUW8ukXk2KNtU3OIJmyhmU9VWz5oFVtXUG5VCH+GJrjItF0agCksJ2P
         7GGBy52BmRZbmgN3JrlxwdfQf7olEusspVfgTOQ2dfraoPAhEKirOX1Ul1SP13BIHW9A
         arXHdBAJt3Q0XP5n/uG0rRdOubV2ZXsflpm+RuOPBA+HsSH4Y5Xz3cYHh3SSt5aGmqrk
         HjiEeGBpZKU3nSiwvDRmfy5ACRlSD25D4izJxOtTcLIgrbEW/APh7oVKvpoZdGBTzafJ
         W8+kzRKBXwKGpwTAoc7RYTiBjtX6jvdi1mKw5RvOrhIzW2/6aPtKNYWqFjy1ouUpBdx6
         wnvA==
X-Received: by 10.66.74.2 with SMTP id p2mr17985921pav.55.1361786078108;
        Mon, 25 Feb 2013 01:54:38 -0800 (PST)
Received: from [192.168.1.101] ([123.122.4.230])
        by mx.google.com with ESMTPS id a4sm13178564paw.21.2013.02.25.01.54.35
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Mon, 25 Feb 2013 01:54:37 -0800 (PST)
From: Freeman Fang <freeman.fang@gmail.com>
Mime-Version: 1.0 (Apple Message framework v1280)
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_10EDF9FC-66CE-4839-AF39-4DBB4B9B275E"
Subject: Re: Security for WS & REST clients
Date: Mon, 25 Feb 2013 17:54:30 +0800
In-Reply-To: 
 <CABOBwRhcdB4d4quJmKHE8ZVcG9++OHG35vz+9jaYE+CbGpBnzw@mail.gmail.com>
To: users@cxf.apache.org
References: 
 <CABOBwRhcdB4d4quJmKHE8ZVcG9++OHG35vz+9jaYE+CbGpBnzw@mail.gmail.com>
Message-Id: <4BA3A16C-1A9B-4569-93B0-C22D15C7C5B4@gmail.com>
X-Mailer: Apple Mail (2.1280)
X-Virus-Checked: Checked by ClamAV on apache.org

--Apple-Mail=_10EDF9FC-66CE-4839-AF39-4DBB4B9B275E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi,

My comment inline
=EF=BC=8D=EF=BC=8D=EF=BC=8D=EF=BC=8D=EF=BC=8D=EF=BC=8D=EF=BC=8D=EF=BC=8D=EF=
=BC=8D=EF=BC=8D=EF=BC=8D=EF=BC=8D=EF=BC=8D
Freeman(Yue) Fang

Red Hat, Inc.=20
FuseSource is now part of Red Hat
Web: http://fusesource.com | http://www.redhat.com/
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
http://blog.sina.com.cn/u/1473905042
weibo: @Freeman=E5=B0=8F=E5=B1=8B

On 2013-2-25, at =E4=B8=8B=E5=8D=885:01, Jose Mar=C3=ADa Zaragoza wrote:

> Hi:
>=20
> I'm newbie by using CXF framework and I'd like to take the best choice
> about security matters ( authorization/authentication )
> Maybe more expert users can help me.
>=20
>=20
> I need to develop JAX-WS (SOAP/HTTP) and JAX-RS (XML/JSON/HTTP)
> services and I need to get the client ID who is calling that web
> service for loading custom config files by client profile/role .
> Sometimes, it will be the same implementation but different prococol
> binding ( I think CXF framework allows this feature )
>=20
>=20
> 1)
>=20
> I would like to use a standard authetication/authorization model.
> I've seen WS-Security but I think that it only works with SOAP
> messages, am I wrong ? could it be used with REST client/services?
Yes, the UsernameToken ws-security stuff is based on SOAP message so it =
won't work with REST  typically.
>=20
>=20
> 2)
>=20
> Other choice is use HTTP Authentication , For example, I could use
> Realm mechanism implemented by Tomcat to authenticate users
> That is supported by SOAP/HTTP and REST/JSON//HTTP clients
>=20
> Could I retrieve client ID ( Principal ) from WebserviceContext with
> HTTP Authentication ?
> Do i need to get HTTPRequest to get client ID ?
Yeah,  you can use HTTP basic auth both for SOAP and REST service
You can simply use =
org.apache.cxf.interceptor.security.JAASLoginInterceptor, which can =
retrieve username/password from Http Basic auth and create =
SecurityContext accordingly and delegate to your container jaas(tomcat, =
karaf, etc)
>=20
>=20
> 3)
>=20
> As I told you, I want to load custom config files by client
> profile/role calling a service
> Could I to implement this by a interceptor and this interceptor
> updates 'service call' with custom values ?
> What is the best way to face this issue ?
>=20
yeah, an interceptor usually is the way to go
> I want to perform something like Filters (Servlet) and update requests
> context with custom info by client/user/role
>=20
>=20
> Thanks
> Best regards


--Apple-Mail=_10EDF9FC-66CE-4839-AF39-4DBB4B9B275E--