Hi Christian, oh yes I can see, adding the JAASAuthenticationFeature to the cxf bus is required *in addition *to adding the JAASLoginInterceptor. I was not getting desired result after Phase 1 so that makes sense.
I added a very simple example to GitHub <https://github.com/bertramn/jaas-auth-rest-example> for anyone interested. Thanks a lot for help, much appreciated! Kind Regards, Niels On Mon, Jan 19, 2015 at 6:18 PM, Christian Schneider < [email protected]> wrote: > Hi Niels, > > this is what you need to configure in blueprint to make it work: > > https://github.com/cschneider/Karaf-Tutorial/blob/master/cxf/personservice/server/src/main/resources/OSGI-INF/blueprint/blueprint.xml > > I never tested with rest but in SOAP it worked fine and it should also > work in SOAP. > > It works like this: > > Phase 1 is the authentication. It is mainly done in the CXF interceptor > > - The JAASAuthenticationFeature adds the JAASLoginInterceptor > - Inside the interceptor the basic auth http headers are read and a JAAS > login is done > - During the JAAS login by default the "karaf" context is used. So you can > login for example with karaf/karaf or whatever you set in you > users.propeties > - The following CXF chain is called in subject.doAs. This populates the > AccessControlContext > > From this point on you can use standard JAAS API calls to work with the > AccessControlContext. > > Phase 2 is authorization > > As a second step you can then use the blueprint authz module. Simply > activate it with <authz:enable/> > > It works with the @RolesAllowed annotations to secure access to blueprint > beans. > In my case I set it on > https://github.com/cschneider/Karaf-Tutorial/blob/master/cxf/personservice/server/src/main/java/net/lr/tutorial/karaf/cxf/personservice/impl/PersonServiceImpl.java > > @RolesAllowed("admin") > public Person[] getAll() { > return personMap.values().toArray(new Person[]{}); > } > > So this works with the roles set in users.properties. As the user karaf is > in the group admin he can access the method. If you add another user > without this role then it will be able to access unsecured methods but not > this one. > > Does this work for you? > > Christian > >
