Re: CXF and Acegisecurity

Tue, 01 Jul 2008 10:14:00 -0700
How are you validating the username/password? (your validUser method) Shouldn't the configuration for that information also include the roles that the users are in? 

Dan



On Jul 1, 2008, at 7:57 AM, John-M Baker wrote:


Sergey,


So far I've concluded that the CallbackHandler has to populate the  
Spring

Security SecurityContext, such as (exclude the hacked up code):

public class PasswordCallbackHandler
  implements CallbackHandler
{
  public void handle(Callback[] arg0)
     throws IOException, UnsupportedCallbackException
  {
     for (Callback callback : arg0)
     {
        if (callback instanceof WSPasswordCallback)
        {
           WSPasswordCallback passwordCallback = (WSPasswordCallback)
callback;

           if (validUser(passwordCallback)
           {
             // Register with Spring Security so annotated methods
(@RolesAllowed)

             // will allow appropriate users.  There must be a nice  
way

of doing this
             // through the Spring context files!
             SecurityContextHolder.getContext().setAuthentication(
                   new UsernamePasswordAuthenticationToken(
                         passwordCallback.getIdentifer(),
                         passwordCallback.getPassword(),
                         new GrantedAuthority[] {
                            new GrantedAuthorityImpl("ADMIN") } ));

             return;
           }
         }
       }
     }

     throw new RuntimeException("Invallid user");
  }
}

The WS method can then be annotated with @RoledAllowed({"ADMIN"}).


But this isn't very clean however given WS Security doesn't provide  
any

roles, what else can be done?   It would be nice to put the above into
Sprnig though so the user & role ("GrantedAuthority") mappings can be
defined in XML.  Is there something for this already?


John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London

URL:  http://websso.cto.gt.intranet.db.com




John-M Baker <[EMAIL PROTECTED]>
01/07/2008 12:35
Please respond to
[email protected]


To
[email protected]
cc
[email protected]
Subject
Re: CXF and Acegisecurity






Sergey,


The problem seems to lie between enabling WS-Security on CXF (which  
isn't
a problem) and wiring this into Spring Secuirty.  Look at the  
following:


Caused by:

org 
.springframework.security.AuthenticationCredentialsNotFoundException:

An Authentication object was not found in the SecurityContext
 at

org 
.springframework 
.security 
.intercept 
.AbstractSecurityInterceptor 
.credentialsNotFound(AbstractSecurityInterceptor.java:342)

 at

org 
.springframework 
.security 
.intercept 
.AbstractSecurityInterceptor 
.beforeInvocation(AbstractSecurityInterceptor.java:254)

 at

org 
.springframework 
.security 
.intercept 
.method 
.aopalliance 
.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)

 at

org 
.springframework 
.aop 
.framework 
.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java: 
171)

 at

org 
.springframework 
.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)


That appears after successful authentication with WS-Security, and CXF
trying to invoke a method that's annotated with @RolesAllowed.



John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London

URL:  http://websso.cto.gt.intranet.db.com




"Sergey Beryozkin" <[EMAIL PROTECTED]>
01/07/2008 10:14
Please respond to
[email protected]


To
<[email protected]>
cc
<[email protected]>
Subject
Re: CXF and Acegisecurity






Cool, thanks for a link. These links can get added to the wiki.

I hope that in your project, where you combine JAX-RS and JAX-WS in  
one

resource class, the single piece of

Spring Security config should suffice, not sure though. let us know  
please


how it goes

Cheers, Sergey

----- Original Message -----
From: "John-M Baker" <[EMAIL PROTECTED]>
To: <[email protected]>
Cc: <[email protected]>
Sent: Tuesday, July 01, 2008 10:09 AM
Subject: Re: CXF and Acegisecurity



There's also a good example here:

http://www.jroller.com/habuma/entry/method_level_security_in_spring


I'm currently looking at what is required to wire Spring security  
into

the

WS-Security module!


John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London

URL:  http://websso.cto.gt.intranet.db.com




"Sergey Beryozkin" <[EMAIL PROTECTED]>
01/07/2008 10:06
Please respond to
[email protected]


To
<[email protected]>
cc

Subject
Re: CXF and Acegisecurity






Hi



Are there any docs specifically on implementing CXF REST With

Acegisecurity? Google didnt return anything obvious..  A simple  
example

showing how to secure a couple methods would be handy.


have a look here please :



http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-method-security






It's a Spring Security module which you're after. It should be  
possible

to

use AOP-like expressions to specify what kind of security
credentials need to be applied to various methods in your resource
class...

Cheers, Sergey




Thanks,


John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London

URL:  http://websso.cto.gt.intranet.db.com


---


This e-mail may contain confidential and/or privileged  
information. If

you are not the intended recipient (or have received this

e-mail in error) please notify the sender immediately and delete  
this

e-mail. Any unauthorized copying, disclosure or distribution

of the material in this e-mail is strictly forbidden.

Please refer to http://www.db.com/en/content/eu_disclosures.htm for

additional EU corporate and regulatory disclosures.

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,

Ireland




---


This e-mail may contain confidential and/or privileged information.  
If

you are not the intended recipient (or have received this

e-mail in error) please notify the sender immediately and delete this

e-mail. Any unauthorized copying, disclosure or distribution

of the material in this e-mail is strictly forbidden.

Please refer to http://www.db.com/en/content/eu_disclosures.htm for

additional EU corporate and regulatory disclosures.

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387

Registered Address: The IONA Building, Shelbourne Road, Dublin 4,  
Ireland




---


This e-mail may contain confidential and/or privileged information.  
If you

are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and delete this e-mail. Any

unauthorized copying, disclosure or distribution of the material in  
this

e-mail is strictly forbidden.

Please refer to http://www.db.com/en/content/eu_disclosures.htm for
additional EU corporate and regulatory disclosures.


---


This e-mail may contain confidential and/or privileged information.  
If you are not the intended recipient (or have received this e-mail  
in error) please notify the sender immediately and delete this e- 
mail. Any unauthorized copying, disclosure or distribution of the  
material in this e-mail is strictly forbidden.



Please refer to http://www.db.com/en/content/eu_disclosures.htm for  
additional EU corporate and regulatory disclosures.


---
Daniel Kulp
[EMAIL PROTECTED]
http://www.dankulp.com/blog


























					Reply via email to