Hey Christian, I'll take a look, however my other code is bound to CXF 2.7.7 (and TESB 5.4.x) so I can not rely on new features yet.
Cheers, Łukasz -- [email protected] Twitter: ldywicki Blog: http://dywicki.pl Code-House - http://code-house.org 2014-07-10 18:25 GMT+02:00 Christian Schneider <[email protected]>: > The Subject.doAs problem is already solved (See issue below). You can > already test it with the current trunk. > Simply add a JAASAuthenticationFeature to your bus or service. This will add > JAAS Authentication suitable for Apache Karaf. > > You can then login with karaf/karaf and inside your service impl use this to > retreive the subject: > |AccessControlContext acc = AccesController.getContext();| > |Subject subject = Subject.getSubject(acc);| > > If you can make shiro or Spring Security create their security context from > a JAAS one they should also work nicely. > I experimented with both but am not a big fan. The problem with shiro is > that it does not seem to provide nice authorization support. > So for example they do not support @RolesAllowed and the like. > > Spring security on the other hand is not really suitable to combine with > anything else than spring. For spring it is quite nice though. > > Establish Jaas login context using Subject.doAs > https://issues.apache.org/jira/browse/CXF-5868 > > Now we need some nice Authorization support of course. This I would like to > implement outside of CXF > as authorization is not only needed inside the service but also when calling > other code. > > Christian > > Am 10.07.2014 15:33, schrieb Łukasz Dywicki: > >> Issue which I mentioned was fixed. Issue for it is CXF-5864. I also >> opt for JAAS as underlying framework since there is no other standard. >> I was looking for Shrio-JAAS integrations but except couple statements >> there is no live example of it. With SS it's easier as it supports >> JAAS out of the box and allows to reduce amount of code needed to call >> JAAS login module. I'm not sure but in SS 2.x there was reverse bridge >> allowing to call Spring Security authentication manager via JAAS, >> sadly can not find it right now. >> In some scenarios as you already pointed additional check is needed. >> Kerberos verifies identity but does not offer any way to retrieve user >> privileges. I can imagine situation that someone is using Kerberos >> without directory services - for these cases SS requires >> implementation of UserDetailsService. >> >> My plan was also to let service implementer retrieve Subject and it's >> roles from current security context regardless if its JAX-RS or JAX-WS >> code. Now CXF relies on JAX-RS in one place and I'm not aware of any >> similarity for JAX-WS. With plain JAAS it will be possible, CXF just >> needs to call Subject.doAs() in service invoker. >> >> Best regards, >> Łukasz >> -- >> [email protected] >> Twitter: ldywicki >> Blog: http://dywicki.pl >> Code-House - http://code-house.org >> >> 2014-07-10 14:06 GMT+02:00 Christian Schneider <[email protected]>: >>> >>> Spring security integration would be an interesting case that I hope can >>> be >>> covered with my approach. >>> >>> We could do the JAAS aauthentication with CXF without Spring Security and >>> then use Spring security just for Authorization. >>> The only thing we would need to do is provide a small module for Spring >>> Security that retrieves the JAAS Login Context and creates a Spring >>> Security >>> context from it. Perhaps >>> this is even present somewhere in spring security as this case should not >>> be >>> that uncommon. After that step Spring security would fully work. >>> >>> This of course only can work if the Authentication phase can be covered >>> by >>> JAAS. Which kind of authentication do you have in mind? >>> >>> Christian >>> >>> >>> >>> >>> On 10.07.2014 13:38, Łukasz Dywicki wrote: >>>> >>>> Hey Christian, >>>> Great you brought this discussion. I already started working on >>>> integration between spring security (SS) and cxf, mainly because JAAS >>>> was not sufficient in all our cases and SS provides nice cover to it >>>> such AccessDecisionManager session controlling and so on. As Oliver >>>> pointed out - currently CXF is bound to HTTP headers or WSS4J >>>> callbacks requiring re-sending credentials for each invocation which >>>> really limit users while working on more advanced APIs. I would love >>>> to see support for login/logout operations and session handling within >>>> CXF. >>>> >>>> There are couple issues which can not be solved with current CXF code >>>> - for example AbstractAuthorizingInInterceptor forces presence of >>>> security context even if subject is not necessary and method is not >>>> annotated with any secure annotation or is annotated with @PermitAll. >>>> >>>> Best regards, >>>> Łukasz >>>> -- >>>> [email protected] >>>> Twitter: ldywicki >>>> Blog: http://dywicki.pl >>>> Code-House - http://code-house.org >>>> >>>> >>> -- >>> Christian Schneider >>> http://www.liquid-reality.de >>> >>> Open Source Architect >>> http://www.talend.com >>> > > > -- > Christian Schneider > http://www.liquid-reality.de > > Open Source Architect > Talend Application Integration Division http://www.talend.com >
