[jira] [Assigned] (CXF-5922) Secure CXF WSDL with standard HTTP Authentication

Sun, 17 Aug 2014 23:23:57 -0700 

     [ 
https://issues.apache.org/jira/browse/CXF-5922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Freeman Fang reassigned CXF-5922:
---------------------------------

    Assignee: Freeman Fang

> Secure CXF WSDL with standard HTTP Authentication
> -------------------------------------------------
>
>                 Key: CXF-5922
>                 URL: https://issues.apache.org/jira/browse/CXF-5922
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-WS Runtime
>    Affects Versions: 2.7.8
>            Reporter: Joe Luo
>            Assignee: Freeman Fang
>
> I am running a camel route in an OSGi container, with CXF as a consumer 
> endpoint, using the Provider<T> route mechanism. The route is secured with 
> SSL and HTTP Basic Authentication using JAASLoginInterceptor and 
> SimpleAuthorizingInterceptor interceptors. 
> Now I want to secure WSDL on the camel-cxf consumer endpoint with HTTP Basic 
> Authentication, similarly going through JAAS. 
> However, since WSDLGetInterceptor is placed in Phase.READ, it is not possible 
> to use JAASLoginInterceptor and SimpleAuthorizingInterceptorbecause due to 
> the fact that the two interceptors are placed in Phase.UNMARSHAL and 
> Phase.PRE_INVOKE respectively and they are far behind Phase.READ.
> There are two possible solutions I can thinking of:
>     # move the WSDLGetInterceptor and RawMessageWSDLGetInterceptor from the 
> Phase.READ to Phase.PRE-INVOKE or later so they can take advantage of 
> JAASLoginInterceptor and SimpleAuthorizingInterceptor just as other SOAP 
> calls;
>     # introduce one (or two) special interceptor to do what the 
> JAASLoginInterceptor and the SimpleAuthorizingInterceptor normally do just 
> for WSDL GET invocation.
> The first option might introduce too much change but the second option sounds 
> a better choice. We should introduce one or two interceptors for WSDL GET 
> invocation to integrate with standard HTTP Authentication just like other 
> SOAP calls so users do not have to write custom interceptors themselves. 
> Instead they can simply enable it through configuration only. 
> It should also satisfy requirement for using the same 
> authentication/authorization method through JAAS just like other SOAP calls.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to