I was not able to add an interceptor by setting a service property (I used "org.apache.cxf.ws.in.interceptors").
But I followed your advice and tried to use a CXF feature. I noticed that there is a ready-to-use JAASAuthenticationFeature so I registered it as a service intend. If I understand it right I can select the realm to use by setting the contextname of the feature but it is also possible to choose a specific group or user? Thanks Christian ________________________________ Von: Christian Schneider <ch...@die-schneider.net> Gesendet: Freitag, 26. Oktober 2018 12:44:05 An: user@aries.apache.org Betreff: Re: Aries RSA: securing exported services with ExportPolicy Any webservice exported using blueprint is accessible from remote. You will only not see it as a rsa remote service. What I meant is. Can you export your service using rsa but without an Export policy if you add the interceptor as a service property? I am not sure if this kind of interceptors work with the current cxf dosgi versions. In general the recommended practice for securing services is using a CXF feature and refer to it as an intent. For example the new CXF logging feature registers itself as an intent. https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90 The rest example readme shows how to add such an intent to your service: https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent (Basically you simply add a service property "service.exported.intents" with your intent name as value). This way you could create a feature that adds the security interceptors and export it with intent name "mysecurity" and then add the service property above to all services that should be secured. The ExportPolicy is only needed if you want to add this property transparently to your services without touching them. Christian Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian <christian.nieh...@its-digital.de<mailto:christian.nieh...@its-digital.de>>: It works if I define the service as CXF endpoint in blueprint. But if I set it there it is not published as RSA endpoint and so it seems it's not accessible from remote. Christian ________________________________ Von: Christian Schneider <ch...@die-schneider.net<mailto:ch...@die-schneider.net>> Gesendet: Donnerstag, 25. Oktober 2018 17:24:40 An: user@aries.apache.org<mailto:user@aries.apache.org> Betreff: Re: Aries RSA: securing exported services with ExportPolicy Does it work if you set the interceptor directly on the service? Christian Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <christian.nieh...@its-digital.de<mailto:christian.nieh...@its-digital.de>>: Hi, I try to export a service in my karaf to be able to process SOAP messages sent from remote client but I am facing problems to secure it. The documentation for Aries RSA about the TopologyManager notes that ExportPolicy implementations can be used to add authentication but I am missing further details. I tried to achieve it by adding an interceptor in my ExportPolicy but that seems not to help: props.put("service.exported.configs", "org.apache.cxf.ws<http://org.apache.cxf.ws>"); props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync";); props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor"); com.acme.Myinterceptor extends org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor I also tried to provide the Interceptor classname as List<String> or String[] but that didn't work either, the interceptor never get's invoked when sending messages. So what I am doing wrong or is there any other/better way to secure a service provided by Aries RSA? Thanks, Christian -- -- Christian Schneider http://www.liquid-reality.de Computer Scientist http://www.adobe.com -- -- Christian Schneider http://www.liquid-reality.de Computer Scientist http://www.adobe.com
