cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <>
Subject Re: Apache CXF + WSS4J + Authentication failed counter
Date Fri, 13 Sep 2013 09:19:08 GMT
Hi Christian,

I would recommend writing your own Validator (or extending the existing one
in WSS4J) for UsernameTokens. WSS4J sends tokens to a Validator instance
for validation:

Here is the default UsernameTokenValidator:

So I would recommend adding in some functionality to a subclass of the
UsernameTokenValidator to perform your requirements. You can configure your
Validator in CXF via the "ws-security.ut.validator" tag:


On Fri, Sep 13, 2013 at 12:03 AM, Christian Müller <> wrote:

> We are using the Apache Camel CXF component (Camel 2.10.x and CXF 2.6.x) to
> expose web services to our customers. We are securing these services by
> using HTTPS and WS-Security (user name and password token). Everything
> works good so far.
> After an external audit, we got the new requirement to monitor the
> authentication failed attempts per user and block the user, if the
> authentication failed counter reached a (configurable) limit.
> 1) Do we have such a functionality in a "special" WSS4JInInterceptor?
> 2) If not, which solution would you recommend?
>     a) Extending the WSS4JInInterceptor - isn't as easy as it may should to
> fulfill my needs.
>     b) Writing our own interceptors. An in-interceptor to check whether
> user is already blocked and to store the user name in a thread local. An
> out-interceptor to increase the failed counter (if the authentication
> failed) our to reset the failed counter (if the authentication was
> successful).
>     c) Somehow different?
> [1]
> Thanks in advance,
> Christian
> -----------------
> Software Integration Specialist
> Apache Camel committer:
> V.P. Apache Camel:
> Apache Member:

Colm O hEigeartaigh

Talend Community Coder

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message