cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Müller <christian.muel...@gmail.com>
Subject Re: Apache CXF + WSS4J + Authentication failed counter
Date Sat, 14 Sep 2013 10:04:05 GMT
Hi Colm!

Thanks for taking time to answer my question. This was exactly I was
looking for (and I didn't know).

Best,
Christian
-----------------

Software Integration Specialist

Apache Camel committer: https://camel.apache.org/team
V.P. Apache Camel: https://www.apache.org/foundation/
Apache Member: https://www.apache.org/foundation/members.html

https://www.linkedin.com/pub/christian-mueller/11/551/642


On Fri, Sep 13, 2013 at 11:19 AM, Colm O hEigeartaigh
<coheigea@apache.org>wrote:

> Hi Christian,
>
> I would recommend writing your own Validator (or extending the existing one
> in WSS4J) for UsernameTokens. WSS4J sends tokens to a Validator instance
> for validation:
>
>
> http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/Validator.java?view=markup
>
> Here is the default UsernameTokenValidator:
>
>
> http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java?view=markup
>
> So I would recommend adding in some functionality to a subclass of the
> UsernameTokenValidator to perform your requirements. You can configure your
> Validator in CXF via the "ws-security.ut.validator" tag:
>
> http://cxf.apache.org/docs/ws-securitypolicy.html
>
> Colm.
>
>
> On Fri, Sep 13, 2013 at 12:03 AM, Christian Müller <
> christian.mueller@gmail.com> wrote:
>
> > We are using the Apache Camel CXF component (Camel 2.10.x and CXF 2.6.x)
> to
> > expose web services to our customers. We are securing these services by
> > using HTTPS and WS-Security (user name and password token). Everything
> > works good so far.
> >
> > After an external audit, we got the new requirement to monitor the
> > authentication failed attempts per user and block the user, if the
> > authentication failed counter reached a (configurable) limit.
> >
> > 1) Do we have such a functionality in a "special" WSS4JInInterceptor?
> > 2) If not, which solution would you recommend?
> >     a) Extending the WSS4JInInterceptor - isn't as easy as it may should
> to
> > fulfill my needs.
> >     b) Writing our own interceptors. An in-interceptor to check whether
> > user is already blocked and to store the user name in a thread local. An
> > out-interceptor to increase the failed counter (if the authentication
> > failed) our to reset the failed counter (if the authentication was
> > successful).
> >     c) Somehow different?
> >
> > [1] http://cxf.apache.org/docs/ws-security.html
> >
> > Thanks in advance,
> > Christian
> > -----------------
> >
> > Software Integration Specialist
> >
> > Apache Camel committer: https://camel.apache.org/team
> > V.P. Apache Camel: https://www.apache.org/foundation/
> > Apache Member: https://www.apache.org/foundation/members.html
> >
> > https://www.linkedin.com/pub/christian-mueller/11/551/642
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message