I think I know how to fix this from a general perspective, but I have an issue with a detail that I would appreciate help with.
In order to trigger login, I been considering using either a HttpContext (handleSecurity) or a servlet filter. The servlet in question is the cxf-servlet. Since I have no (known) control over when the cxf-servlet is registered, how could I know WHEN it is allowed to register the httpContext/filter? I think I read that when using the whiteboard extender, you could not do that until after the servlet has been registered, correct? Any help on this init/dependency "problem" would be highly appreciated. Thanks Lars Skickat från min iPhone 21 feb 2013 kl. 11:16 skrev Łukasz Dywicki <[email protected]>: > I haven't done that with CXF STS, however I did it with regular WSS4J > username token & JAAS: > > <bean id="svc" class="org.code_house.cxf.secure.CustomerServiceImpl" /> > > <jaxws:endpoint id="customerService" implementor="#svc" > address="/customer"> > <jaxws:inInterceptors> > <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> > <argument> > <map> > <entry key="action" value="UsernameToken"/> > </map> > </argument> > </bean> > <bean > class="org.apache.cxf.interceptor.security.JAASLoginInterceptor"> > <property name="contextName" value="test" /> > </bean> > <bean > class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor"> > <property name="securedObject" ref="svc"/> > </bean> > </jaxws:inInterceptors> > <jaxws:properties> > <entry key="ws-security.validate.token" value="false" /> > <!-- Only verification of auth headers > <entry key="ws-security.ut.validator"> > <bean > class="org.apache.ws.security.validate.JAASUsernameTokenValidator"> > <property name="contextName" value="test" /> > </bean> > </entry> > --> > </jaxws:properties> > </jaxws:endpoint> > > > With this configuration CXF checks @RolesAllowed. Roles are defined in JAAS > login module. > > Best regards, > Lukasz > > Wiadomość napisana przez Christian Schneider <[email protected]> w dniu > 21 lut 2013, o godz. 01:13: > >> I am currently trying to do a similar thing. I try to authenticate against a >> CXF Secure Token Service using a client cert. Currently CXF STS has some >> modules for authorization. >> To get this out of STS I try to switch the authorization to JAAS. The >> problem is that in JAAS you can not simply get the roles of a user. You only >> get the roles after you do a login. >> >> So what I am trying to do is use or create a CertificateLoginModule for JAAS >> that can work with either SSL client certs or ws-security cert + signature. >> >> Perhaps this can even be done in a simpler way. I wonder if I could simply >> create a LDAP Login Module that does no authentication and instead simply >> uses a fixed user to fetch the role infos from LDAP. >> In any case I will report my progress and it would be great if you could >> also write if you find something. >> >> Christian >> >> >> Am 20.02.2013 19:17, schrieb Lars-Erik Helander: >>> Thanks Achim, >>> >>> do you have any suggestions on where I can find documentation/examples that >>> could be of help to me, e.g. how to configure my web app to "force" login >>> via client certs? >>> >>> Thanks >>> >>> Lars >>> >>> Skickat från min iPhone >>> >>> 20 feb 2013 kl. 17:41 skrev Achim Nierbeck <[email protected]>: >>> >>>> Hi Lars, >>>> >>>> I think it should be possible. At least right now I don't see anything >>>> objecting to this. As Pax Web already does work with certs, you have the >>>> credentials for it. Now you just need to make sure you're configuration >>>> for the authorization is delegated to the underlying JAAS. This should be >>>> possible. >>>> It probably needs a bit of tweaking and researching since it's a >>>> not-out-of-the-box situation. >>>> >>>> Let us know if it worked out :) >>>> >>>> regards, Achim >>>> >>>> >>>> 2013/2/20 Lars-Erik Helander <[email protected]> >>>>> Lukasz & Achim, >>>>> >>>>> Thanks for the feedback. >>>>> >>>>> No, I do not have a working stand alone jetty solution to "port". >>>>> >>>>> The solution works as follows today: >>>>> >>>>> The client which is another system and not a human user, autthenticates >>>>> to the Karaf "server" using a client cert. No login takes place so its >>>>> just a matter of transport level security. The receiving servlet makes an >>>>> explicit call to an LDAP server to get the role(s) associated with the >>>>> client. The LDAP search is based on the user principal established during >>>>> the ssl session setup (principal info comes from the client certificate). >>>>> I would like to move away from doing the LDAP call in my application >>>>> (servlet) and instead make the LDAP interaction via JAAS. I guess I woul >>>>> need to do at least two things: >>>>> 1) configure JAAS with an LDAP login module >>>>> 2) force login to take place, probably by somehow configure the specific >>>>> URL as being protected an somehow configure/code that login usin client >>>>> certificate shall take place >>>>> >>>>> Is this possible?
