Seamless UsernameToken integration for Acegi Security (client and server) -
Patch Included
------------------------------------------------------------------------------------------
Key: XFIRE-916
URL: http://jira.codehaus.org/browse/XFIRE-916
Project: XFire
Issue Type: New Feature
Affects Versions: 1.2.4
Environment: Nothing special, but Aegis Security Framework. This patch
is only for developers wanting to integrate security with their Acegi
environment
Reporter: Andres Bernasconi
Assigned To: Dan Diephouse
Priority: Minor
Attachments: xfire-acegi.zip
My idea is to simplify as much as possible extensions and usage of the XFire
framework.
In this particular case I think it would be beneficial if the developer could
"just" plug a .jar file and thus add security to his/her client and or service
implementation, only by setting some properties (ideally using Spring IoC).
This patch adds support for UsernameToken and Acegi, but I guess the idea could
be easily extensible to other types (I would REALLY like to see something like
this for SAML, for instance).
On the client side, the developer just adds an additional OutHandler, and on
the server side adds an InHandler. No code additional code should be required
to be written.
The outcome is that for clients that include this new outHandler a
usernameToken security header will automatically be attached to the msg,
according to the current user. On the server side, for services that include
the inHandler will automatically login the user based on the received
credentials, and the Principal will be available (accessible) through the
Security Context.
For a full sample configuration, check the sample-server-context.xml and
sample-client-context.xml
(Sorry but no test cases).
This is a sample Spring configuration for the Service (inside the inHandlers
section)
{code:xml|title=Service InHandler configuration}
...
<bean class="org.codehaus.xfire.security.acegi.AcegiUsernameTokenInHandler">
<property name="authnManager" ref="authenticationManager" />
</bean>
...
{code}
where the authnManager is an Acegi Authentication Manager (so any type of
authentication is pluggable)
Now for the client, it would be something like
{code:xml|title=Client outHandler configuration}
<property name="outHandlers">
<list>
<!-- this is the standard domOutHandler -->
<ref bean="domOutHandler" />
<!-- this is the acegi.configured out handler -->
<bean id="ws-usernameTokenOutHandler"
class="org.codehaus.xfire.security.acegi.AcegiWSS4JOutHandler">
<property name="properties">
<props>
<prop key="action">UsernameToken</prop>
<prop key="passwordType">PasswordText</prop>
<!--
If you ever need to test this or you still
don't have
implemented the Token "Reader" on the service
you may set the
mustUnderstand field to 0 to avoid getting an
Exception.
-->
<prop key="mustUnderstand">0</prop>
<!--
We are using our "support" class in order to be
able to
get the credentials from the Acegi Security
Context.
Still, we do not want to use a new class
everytime,
so we are not setting this property (we are
using a reference,
and it is being set in the AcegiWSS4JOutHandler)
-->
<!--
<prop
key="passwordCallbackClass">org.codehaus.xfire.security.acegi.AcegiWSS4JPasswordCallback</prop>
-->
</props>
</property>
<!--
Here we specify the CallbackHandler to be used.
It also gets the username and password and sets it to the
CallbackHandler.
-->
<property name="passwordCallback">
<bean
class="org.codehaus.xfire.security.acegi.AcegiWSS4JPasswordCallback">
</bean>
</property>
</bean>
</list>
</property>
{code}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list please visit:
http://xircles.codehaus.org/manage_email
