It was a bit of extra coding, as there is some dis join between what
WS-Security wants to do and what Acegi wants to do (at least for
UsernameToken authentication). We also have a business requirement due
to some legacy data setup that proved to be problematic with WSS4J.
WSS4J wants you to return the password and it perform the password
comparison. Acegi security also wants to perform the password
comparison. Two separate process that you're trying to integrate that
both want to run the show...problem there :) Our business requirement
issue with WSS4J is we keep our passwords hashed in our DB. Allowing
WSS4J to perform our authentication would never work as we need to hash
the password in the token and compare that against the hashed password
in the DB. From my understanding, I can not change this process with
WSS4J. Acegi is nice in this regard as it allows you to provide a
password encoder that it will use against the provided password.
With all these factors, our strategy was to allow WSS4J to process the
UsernameToken to provide a Principal object with a username/password
that was provided in the header. Then after the processing for WSS4J we
have our own interceptor in the interceptor chain that will use the
Principal object to delegate authentication to the Acegi authentication
manager. Here's a snippet of our interceptor (apologize if formatting
turns out crappy):
// get the principal object
WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal)
secRes.getPrincipal();
Authentication auth = new
UsernamePasswordAuthenticationToken(principal.getName(),
principal.getPassword());
auth = authenticationManager.authenticate(auth);
if(!auth.isAuthenticated()) {
throw new AuthorizationException("This user is not authentic");
}
SecurityContextHolder.getContext().setAuthentication(auth);
Now that the authentication object has been set within the context, you
can use Acegi throughout your code like you would any other webapp. It
really is nice. We even use Acegi annotations on our endpoints and use
AOP and a Role voter to authorize our web services. It makes for a
fairly clean solution. We use the same service classes for our web
services and our web application without any code change to support
authorization from each entry point. Code reuse bliss.
I am not all that familiar with WSS4J, so I could be wrong in some of my
understandings of how it works with WS-Security. Does anyone else have
a different experience or understanding of UsernameToken authentication
with WSS4J? Does this seem like a reasonable approach?
Eric
On Tue, 2007-09-18 at 10:50 +0200, Dan Diephouse wrote:
> I guess I'm interesting in seeing any code that could be shared between
> users come into CXF. Specifically, if I remember correctly from the
> solutions that I've seen, the WS-Security integration in particular
> takes an extra bit of coding. Would be very happy to include your
> contributions.
> Cheers,
> - Dan
>
> Eric Miles wrote:
> > Dan,
> >
> > What sort of solution are you looking for? We are using an
> > Acegi/Spring/CXF implementation at our company where we are using
> > WS-Security and Acegi for authentication and AOP/Acegi for
> > authorization. We could be interested in contributing.
> >
> > Thanks,
> > Eric
> >
> >
> > On Tue, 2007-09-18 at 00:15 +0200, Dan Diephouse wrote:
> >
> >> And I want somebody to contribute a cleaner solution :-D
> >>
> >> I know there is a lot of stuff we could do with Spring Security/Acegi
> >> that would be super cool. It'd be a real low barrier way to contribute
> >> some stuff if anyone is interested.
> >>
> >> Cheers,
> >> - Dan
> >>
> >> mattmadhavan wrote:
> >>
> >>> Hi Ray,
> >>> No I do not want the client side to tell the server! Thats my point. Some
> >>> good blogs I have seen, do that! Where the client 'tells' which handler to
> >>> use!
> >>>
> >>> I want a cleaner ACEGI+ XFIRE solution!
> >>>
> >>> Thanks
> >>> Matt
> >>>
> >>>
> >>>
> >>> Ray Krueger wrote:
> >>>
> >>>
> >>>> You want the client to tell the server how to do security? That sounds
> >>>> crazy :)
> >>>>
> >>>> Your client side should either be doing http based security or
> >>>> ws-security. That doesn't have anything to do with Acegi at that
> >>>> point.
> >>>>
> >>>> On 9/14/07, Zarar Siddiqi <[EMAIL PROTECTED]> wrote:
> >>>>
> >>>>
> >>>>> I'm trying to understand what you're saying but am having difficulty.
> >>>>> But
> >>>>> here goes:
> >>>>>
> >>>>>
> >>>>>
> >>>>>> Can some one point me to some docs on the CXF and ACEGI integration
> >>>>>> or CXF and security like authentication and authorization.
> >>>>>>
> >>>>>>
> >>>>> I use Acegi for authorization purposes only. IMHO it doesn't really make
> >>>>> sense for authentication (WS-Security can do that). So I use the
> >>>>> MethodSecurityInterceptor and BeanNameAutoProxyCreator to manage calls
> >>>>> to
> >>>>> my
> >>>>> service level methods. The Acegi docs can help you there, the only
> >>>>> difference I think is that you have to set the authentication token
> >>>>> yourself, e.g.:
> >>>>>
> >>>>> UsernamePasswordAuthenticationToken token = new
> >>>>> UsernamePasswordAuthenticationToken(
> >>>>> user.getUsername(), user.getPassword(), user.getAuthorities());
> >>>>> // Populate Acegi Security Context
> >>>>> SecurityContextHolder.getContext().setAuthentication(token);
> >>>>>
> >>>>>
> >>>>>
> >>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On the
> >>>>>>
> >>>>>>
> >>>>> client
> >>>>>
> >>>>>
> >>>>>> side
> >>>>>> we need to set the which class handles the security on the Server side!
> >>>>>> But if
> >>>>>> I am using some other language for clients like C# it doesn't seem to
> >>>>>>
> >>>>>>
> >>>>> be
> >>>>>
> >>>>>
> >>>>>> the proper way!
> >>>>>>
> >>>>>>
> >>>>> You can pass the class name which handles security to the server (crazy
> >>>>> thought I think!) using a header element and then parse it using CXF
> >>>>> interceptors.
> >>>>>
> >>>>> Zarar
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> mattmadhavan wrote:
> >>>>>
> >>>>>
> >>>>>> Any Help will be appreciated!
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> mattmadhavan wrote:
> >>>>>>
> >>>>>>
> >>>>>>> Hello,
> >>>>>>> Can some one point me to some docs on the CXF and ACEGI integration or
> >>>>>>> CXF and security like authentication and authorization. Some sample
> >>>>>>>
> >>>>>>>
> >>>>> app
> >>>>>
> >>>>>
> >>>>>>> will even be great.
> >>>>>>>
> >>>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On the
> >>>>>>> client side we need to set the which class handles the security on the
> >>>>>>> Server side! But if I am using some other language for clients like C#
> >>>>>>>
> >>>>>>>
> >>>>> it
> >>>>>
> >>>>>
> >>>>>>> does n't seem to be the proper way!
> >>>>>>>
> >>>>>>> Any ideas will be greatly appreciated.
> >>>>>>>
> >>>>>>> Thanks
> >>>>>>> Matt
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>> --
> >>>>> View this message in context:
> >>>>> http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
> >>>>> Sent from the cxf-user mailing list archive at Nabble.com.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>>
> >> --
> >> Dan Diephouse
> >> MuleSource
> >> http://mulesource.com | http://netzooid.com/blog
> >>
>
>
