Hi Christian, the JAASAuthenticationFeature only does authentication. When deployed in karaf the default realm should be fine.
For authorisation see e.g the SimpleAuthorizingInterceptor. http://cxf.apache.org/docs/securing-cxf-services.html Christian Am Mo., 29. Okt. 2018 um 09:42 Uhr schrieb Niehues, Christian < christian.nieh...@its-digital.de>: > I was not able to add an interceptor by setting a service property (I used > "org.apache.cxf.ws.in.interceptors"). > > > But I followed your advice and tried to use a CXF feature. I noticed that > there is a ready-to-use JAASAuthenticationFeature so I registered it as > a service intend. If I understand it right I can select the realm to use by > setting the contextname of the feature but it is also possible to choose a > specific group or user? > > > Thanks > > Christian > > > ------------------------------ > *Von:* Christian Schneider <ch...@die-schneider.net> > *Gesendet:* Freitag, 26. Oktober 2018 12:44:05 > *An:* user@aries.apache.org > *Betreff:* Re: Aries RSA: securing exported services with ExportPolicy > > Any webservice exported using blueprint is accessible from remote. You > will only not see it as a rsa remote service. > > What I meant is. Can you export your service using rsa but without an > Export policy if you add the interceptor as a service property? I am not > sure if this kind of interceptors work with the current cxf dosgi versions. > > In general the recommended practice for securing services is using a CXF > feature and refer to it as an intent. For example the new CXF logging > feature registers itself as an intent. > > https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90 > > The rest example readme shows how to add such an intent to your service: > > https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent > (Basically you simply add a service property "service.exported.intents" > with your intent name as value). > > This way you could create a feature that adds the security interceptors > and export it with intent name "mysecurity" and then add the service > property above to all services that should be secured. > > The ExportPolicy is only needed if you want to add this property > transparently to your services without touching them. > > Christian > > Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian < > christian.nieh...@its-digital.de>: > >> It works if I define the service as CXF endpoint in blueprint. But if I >> set it there it is not published as RSA endpoint and so it seems it's not >> accessible from remote. >> >> >> Christian >> >> >> ------------------------------ >> *Von:* Christian Schneider <ch...@die-schneider.net> >> *Gesendet:* Donnerstag, 25. Oktober 2018 17:24:40 >> *An:* user@aries.apache.org >> *Betreff:* Re: Aries RSA: securing exported services with ExportPolicy >> >> Does it work if you set the interceptor directly on the service? >> >> Christian >> >> Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian < >> christian.nieh...@its-digital.de>: >> >>> Hi, >>> >>> >>> I try to export a service in my karaf to be able to process SOAP >>> messages sent from remote client but I am facing problems to secure it. The >>> documentation for Aries RSA about the TopologyManager notes that >>> ExportPolicy implementations can be used to add authentication but I am >>> missing further details. >>> >>> >>> I tried to achieve it by adding an interceptor in my ExportPolicy but >>> that seems not to help: >>> >>> >>> props.put("service.exported.configs", "org.apache.cxf.ws"); >>> props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync >>> "); >>> props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor"); >>> >>> com.acme.Myinterceptor extends >>> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor >>> >>> I also tried to provide the Interceptor classname as List<String> or >>> String[] but that didn't work either, the interceptor never get's invoked >>> when sending messages. >>> >>> So what I am doing wrong or is there any other/better way to secure a >>> service provided by Aries RSA? >>> >>> Thanks, >>> >>> Christian >>> >>> >> >> -- >> -- >> Christian Schneider >> http://www.liquid-reality.de >> >> Computer Scientist >> http://www.adobe.com >> >> > > -- > -- > Christian Schneider > http://www.liquid-reality.de > > Computer Scientist > http://www.adobe.com > > -- -- Christian Schneider http://www.liquid-reality.de Computer Scientist http://www.adobe.com
