geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "rahul.soa" <rahul....@googlemail.com>
Subject Re: [UsernameToken] WS-Security at Server Side in Geronimo
Date Tue, 14 Jul 2009 19:15:05 GMT
Hello David,

Thanks for your email, it gives good indication to start. I am looking into
geronimo documentation and JAAS tutorials for reference.

I think login should look like this?

   public Object login(String *securityRealm*, String user, String pass)
            throws LoginException {
        LoginContext context = ContextManager.login("wssecurityRealm",
                new ServerPasswordHandler(user, pass));
        Subject subject = context.getSubject();
        return ContextManager.getSubjectId(subject);
    }


As you said "the configuration named by the realm name must be already
registered with the GeronimoLoginConfiguration."

As i understand this, realm name (*wssecurityRealm*) seems  to me a
reference to the login module/authenticator class, which should implement
javax.security.auth.spi.LoginModule and that will do the validation for
UsernameToken profile. So will we need to write a new
authenticator/LoginModule for UsernameToken profile validation?

another question is how to register the realm name (*wssecurityRealm*) in
GeronimoLoginConfiguration? Will we do it in geronimo-web.xml? How do we do
this? I think in JAAS, it is done via file-reading JAAS configuration.
Furthermore, on the successful authentication, should the Subject be
populated with associated identities, Principals? (i am not sure about this
though, i just read it in JAAS tutorial so wanted to confirm).

so i think, with the step one (as you mentioned in your first email), we
register the subject in geromino.

Can you please explain second step (To make the results available to
container managed security call) in bit more detail.  or can you please
direct me to some documentation?

I am dealing this very first time so forgive me for trivial questions :)

Thanks.

Best Regards,
Rahul




On Fri, Jul 10, 2009 at 10:46 PM, David Jencks <david_jencks@yahoo.com>wrote:

>
>  On Jul 10, 2009, at 1:04 PM, rahul.soa wrote:
>
> Hello Devs,
>
> I am configuring the usernameToken* security configuration in geronimo (for
> CXF). So far, I have configured it for Client side :).
>
> For the server side, I have tried it with hard-coded values and that works.
> Now, I dont know what **APIs* *(server authorization apis or other apis) I
> should use to authenticate the user based on the usernameToken
> (username/password). In other words, how can we configure/enable the
> ws-security (usernameToken) at **server side** in Geronimo?
>
> How and what information we need to pass to enable the ws-security on the
> server side?
>
> I am stuck on this point and I really need your suggestions and pointers.
>
>
> If you want a theoretically portable solution you should probably
> investigate writing a jaspi auth module for this.  This would probably take
> a while and at the moment only work with jetty7.
>
> For a geronimo-specific solution you need to:
>
> 1. authenticate the user by calling
>
> org.apache.geronimo.security.ContextManager.login(String realm,
> CallbackHandler callbackHandler, Configuration configuration).
>
> or
>
> ContextManager..login(realm, callbackHandler);
>
> Generally for the first call you'd get a Configuration from a
> GenericSecurityRealm component.  If you want something less configurable but
> quicker use the second call; the configuration named by the realm name must
> be already registered with the GeronimoLoginConfiguration.
>
> You'll get back a LoginContext containing the authenticated Subject.
>
> 2. To make the results available to container managed security call
>
> ContextManager.setCallers(subject, subject);
> try {
>   //do work, process message, etc etc
> }finally {
>     ContextManager.clearCallers();
> }
>
> hope this helps -- ask if you aren't clear on how to proceed.
> david jencks
>
>
> Please help me in this.
>
> Thank you in advance.
>
> Best Regards,
> Rahul
>
> * to authenticate the user based on the usernameToken (username/password)
> in the SOAP header
>
>
>

Mime
View raw message