cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Apache CXF + WSS4J + Authentication failed counter
Date Fri, 13 Sep 2013 09:19:08 GMT
Hi Christian,

I would recommend writing your own Validator (or extending the existing one
in WSS4J) for UsernameTokens. WSS4J sends tokens to a Validator instance
for validation:

http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/Validator.java?view=markup

Here is the default UsernameTokenValidator:

http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java?view=markup

So I would recommend adding in some functionality to a subclass of the
UsernameTokenValidator to perform your requirements. You can configure your
Validator in CXF via the "ws-security.ut.validator" tag:

http://cxf.apache.org/docs/ws-securitypolicy.html

Colm.


On Fri, Sep 13, 2013 at 12:03 AM, Christian Müller <
christian.mueller@gmail.com> wrote:

> We are using the Apache Camel CXF component (Camel 2.10.x and CXF 2.6.x) to
> expose web services to our customers. We are securing these services by
> using HTTPS and WS-Security (user name and password token). Everything
> works good so far.
>
> After an external audit, we got the new requirement to monitor the
> authentication failed attempts per user and block the user, if the
> authentication failed counter reached a (configurable) limit.
>
> 1) Do we have such a functionality in a "special" WSS4JInInterceptor?
> 2) If not, which solution would you recommend?
>     a) Extending the WSS4JInInterceptor - isn't as easy as it may should to
> fulfill my needs.
>     b) Writing our own interceptors. An in-interceptor to check whether
> user is already blocked and to store the user name in a thread local. An
> out-interceptor to increase the failed counter (if the authentication
> failed) our to reset the failed counter (if the authentication was
> successful).
>     c) Somehow different?
>
> [1] http://cxf.apache.org/docs/ws-security.html
>
> Thanks in advance,
> Christian
> -----------------
>
> Software Integration Specialist
>
> Apache Camel committer: https://camel.apache.org/team
> V.P. Apache Camel: https://www.apache.org/foundation/
> Apache Member: https://www.apache.org/foundation/members.html
>
> https://www.linkedin.com/pub/christian-mueller/11/551/642
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message