This is not necessary. In both cases (cxf blueprint namespace as well as
rsa) you can use a path like "/myservice".
This uses the servlet transport. In karaf it is provided by pax web.
Christian
Am Fr., 2. Nov. 2018 um 10:52 Uhr schrieb Niehues, Christian <
christian.nieh...@its-digital.de>:
> I want to be able to access the CXF endpoint from remote which is not
> possible if I use localhost or something like that. So I thought I have to
> set the address in relation to the IP of the machine its installed on. That
> was the reason I started to use Aries RSA and the ExportPolicy.
>
>
> Christian
>
> ------------------------------
> *Von:* Christian Schneider <ch...@die-schneider.net>
> *Gesendet:* Freitag, 2. November 2018 10:29:38
> *An:* user@aries.apache.org
> *Betreff:* Re: Aries RSA: securing exported services with ExportPolicy
>
> In plain CXF you can specify the endpoint address which can include an IP
> Adress but there are no placeholders.
> What do you try to achieve with a specific IP?
>
> Christian
>
> Am Fr., 2. Nov. 2018 um 09:56 Uhr schrieb Niehues, Christian <
> christian.nieh...@its-digital.de>:
>
>> Hi Christian,
>>
>>
>> meanwhile I was also able to access a simple CXF endpoint from
>> remote that has been defined in blueprint, including authorization and
>> authentication. My only remaining problem with that solution is that I
>> don't know how to define something like a placeholder for the address value
>> to get a IP specific address. A placeholder definition value like
>> {{hostIP}} doesn't seems to be replaced.
>>
>>
>> Is there maybe another way to achieve this?
>>
>>
>> Thanks
>>
>> Christian
>>
>>
>> --
>> Christian Niehues
>> Tel.: +49 (0)221 820 07 27
>>
>> ----------------------------------------------------------------
>> ITS Digital Solutions GmbH
>> Dillenburger Str. 77
>> D-51105 Köln
>> Tel.: +49 (0)221 820 07 0
>> Fax : +49 (0)221 820 07 22 <%2B49%20%280%29221%20820%2007%2022>
>> Mail: i...@its-digital.de <i...@its-telco.de>
>> Web : http://www.its-digital.de <http://www.its-telco.de/>
>> ----------------------------------------------------------------
>> Sitz der Gesellschaft: Dortmund
>> Amtsgericht Dortmund, HRB 28563
>> Geschäftsführer: Gunnar Haack, Ludger Schulte, Heinrich Toben, Raimund
>> Schipp, Ralf Petersilka
>> ----------------------------------------------------------------
>>
>> Diese E-Mail enthält vertrauliche Informationen. Wenn Sie nicht der
>> richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben,
>> informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail.
>> Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist
>> nicht gestattet.
>>
>> This e-mail may contain confidential information. If you are not the
>> intended recipient (or have received this e-mail in error) please notify
>> the sender immediately and destroy this e-mail. Any unauthorised copying,
>> disclosure or distribution of the material in this e-mail is strictly
>> forbidden.
>>
>> ------------------------------
>> *Von:* Christian Schneider <ch...@die-schneider.net>
>> *Gesendet:* Montag, 29. Oktober 2018 16:57:14
>> *An:* user@aries.apache.org
>> *Betreff:* Re: Aries RSA: securing exported services with ExportPolicy
>>
>> Hi Christian,
>>
>> the JAASAuthenticationFeature only does authentication.
>> When deployed in karaf the default realm should be fine.
>>
>> For authorisation see e.g the SimpleAuthorizingInterceptor.
>> http://cxf.apache.org/docs/securing-cxf-services.html
>>
>> Christian
>>
>> Am Mo., 29. Okt. 2018 um 09:42 Uhr schrieb Niehues, Christian <
>> christian.nieh...@its-digital.de>:
>>
>>> I was not able to add an interceptor by setting a service property (I
>>> used "org.apache.cxf.ws.in.interceptors").
>>>
>>>
>>> But I followed your advice and tried to use a CXF feature. I noticed
>>> that there is a ready-to-use JAASAuthenticationFeature so I registered
>>> it as a service intend. If I understand it right I can select the realm to
>>> use by setting the contextname of the feature but it is also possible to
>>> choose a specific group or user?
>>>
>>>
>>> Thanks
>>>
>>> Christian
>>>
>>>
>>> ------------------------------
>>> *Von:* Christian Schneider <ch...@die-schneider.net>
>>> *Gesendet:* Freitag, 26. Oktober 2018 12:44:05
>>> *An:* user@aries.apache.org
>>> *Betreff:* Re: Aries RSA: securing exported services with ExportPolicy
>>>
>>> Any webservice exported using blueprint is accessible from remote. You
>>> will only not see it as a rsa remote service.
>>>
>>> What I meant is. Can you export your service using rsa but without an
>>> Export policy if you add the interceptor as a service property? I am not
>>> sure if this kind of interceptors work with the current cxf dosgi versions.
>>>
>>> In general the recommended practice for securing services is using a CXF
>>> feature and refer to it as an intent. For example the new CXF logging
>>> feature registers itself as an intent.
>>>
>>> https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90
>>>
>>> The rest example readme shows how to add such an intent to your service:
>>>
>>> https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent
>>> (Basically you simply add a service property "service.exported.intents"
>>> with your intent name as value).
>>>
>>> This way you could create a feature that adds the security interceptors
>>> and export it with intent name "mysecurity" and then add the service
>>> property above to all services that should be secured.
>>>
>>> The ExportPolicy is only needed if you want to add this property
>>> transparently to your services without touching them.
>>>
>>> Christian
>>>
>>> Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian <
>>> christian.nieh...@its-digital.de>:
>>>
>>>> It works if I define the service as CXF endpoint in blueprint. But if I
>>>> set it there it is not published as RSA endpoint and so it seems it's not
>>>> accessible from remote.
>>>>
>>>>
>>>> Christian
>>>>
>>>>
>>>> ------------------------------
>>>> *Von:* Christian Schneider <ch...@die-schneider.net>
>>>> *Gesendet:* Donnerstag, 25. Oktober 2018 17:24:40
>>>> *An:* user@aries.apache.org
>>>> *Betreff:* Re: Aries RSA: securing exported services with ExportPolicy
>>>>
>>>> Does it work if you set the interceptor directly on the service?
>>>>
>>>> Christian
>>>>
>>>> Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian <
>>>> christian.nieh...@its-digital.de>:
>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>> I try to export a service in my karaf to be able to process SOAP
>>>>> messages sent from remote client but I am facing problems to secure it.
>>>>> The
>>>>> documentation for Aries RSA about the TopologyManager notes that
>>>>> ExportPolicy implementations can be used to add authentication but I am
>>>>> missing further details.
>>>>>
>>>>>
>>>>> I tried to achieve it by adding an interceptor in my ExportPolicy but
>>>>> that seems not to help:
>>>>>
>>>>>
>>>>> props.put("service.exported.configs", "org.apache.cxf.ws");
>>>>> props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync
>>>>> ");
>>>>> props.put("org.apache.cxf.ws.in.interceptors",
>>>>> "com.acme.MyInterceptor");
>>>>>
>>>>> com.acme.Myinterceptor extends
>>>>> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
>>>>>
>>>>> I also tried to provide the Interceptor classname as List<String> or
>>>>> String[] but that didn't work either, the interceptor never get's invoked
>>>>> when sending messages.
>>>>>
>>>>> So what I am doing wrong or is there any other/better way to secure a
>>>>> service provided by Aries RSA?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Christian
>>>>>
>>>>>
>>>>
>>>> --
>>>> --
>>>> Christian Schneider
>>>> http://www.liquid-reality.de
>>>>
>>>> Computer Scientist
>>>> http://www.adobe.com
>>>>
>>>>
>>>
>>> --
>>> --
>>> Christian Schneider
>>> http://www.liquid-reality.de
>>>
>>> Computer Scientist
>>> http://www.adobe.com
>>>
>>>
>>
>> --
>> --
>> Christian Schneider
>> http://www.liquid-reality.de
>>
>> Computer Scientist
>> http://www.adobe.com
>>
>>
>
> --
> --
> Christian Schneider
> http://www.liquid-reality.de
>
> Computer Scientist
> http://www.adobe.com
>
>
--
--
Christian Schneider
http://www.liquid-reality.de
Computer Scientist
http://www.adobe.com
