Hi Sergey,
Yes thanks. As I thought, I'd already written the filter to use the
HttpHeaders directly but was wondering if there was another preferred/better
way.
For note: there's a bug in HttpHeadersImpl which cannot handle a header
which is a non-empty collection populated with a single null item - in
HttpHeadersImpl:
private List<String> getListValues(String headerName) {
List<String> values = headers.get(headerName);
if (values == null || values.isEmpty()) {
return Collections.emptyList();
}
if (HttpUtils.isDateRelatedHeader(headerName)) {
return values;
}
String[] ls = values.get(0).split(",");
if (ls.length == 1) {
return Collections.singletonList(ls[0].trim());
} else {
List<String> newValues = new ArrayList<String>();
for (String v : ls) {
newValues.add(v.trim());
}
return newValues;
}
}
Should be :
private List<String> getListValues(String headerName) {
List<String> values = headers.get(headerName);
// add check here if first value in collection is null
if (values == null || values.isEmpty() || values.get(0) == null) {
return Collections.emptyList();
}
if (HttpUtils.isDateRelatedHeader(headerName)) {
return values;
}
String[] ls = values.get(0).split(",");
if (ls.length == 1) {
return Collections.singletonList(ls[0].trim());
} else {
List<String> newValues = new ArrayList<String>();
for (String v : ls) {
newValues.add(v.trim());
}
return newValues;
}
}
Otherwise the values.get(0).split will throw NPE.
Regards,
Kynan
Sergey Beryozkin-2 wrote:
>
> Hi Kynan
>
> here's a sample CustomInvoker :
>
> http://svn.apache.org/repos/asf/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
>
> At the moment filters/invokers can not get contexts like SecurityContext
> injected so it has to be created manually.
>
> Or you can just get m.get(org.apache.cxf.security.SecurityContext.class)
> from the message and get Principal from there.
>
> Or would you like to work directly with HTTP headers ? They're availbale
> on the message too, you can also do
> HttpHeaders headers = new HttpHeadersImpl(m) and use HttpHeaders...
>
> Let me know please if you need more info
>
> cheers, Sergey
>
> ----- Original Message -----
> From: "Kynan Fraser" <[email protected]>
> To: <[email protected]>
> Sent: Thursday, July 02, 2009 9:44 AM
> Subject: Re: Security in Jaxws/Jaxrs
>
>
>>
>> Hi Sergey,
>>
>> As a follow up to this, i'm trying to implement a basic http filter using
>> a
>> request handler. Is there a way to obtain the http auth info? I can't
>> find
>> it on any of the contexts or message.
>>
>> Is there an example of a basic auth client and a request handler or
>> custom
>> invoker handling the authentication?
>>
>> Thanks,
>> Kynan
>>
>>
>> Sergey Beryozkin wrote:
>>>
>>> Hi Vishal
>>>
>>> I'm very sorry for a late reply - I was planning to reply much earlier
>>> but
>>> then I got swamped with some work and forgot.
>>>
>>> There're a number of options, depending on your preferences
>>>
>>> 1. Do it in the application code, in the resource class. This is may or
>>> may not the best option. Typically this is something users prefer to do
>>> outside of the application code. But then you may want to look at the
>>> resource class which checks the injected SecurityContexts as the facade
>>> or
>>> as an interceptor really which delegates to the actual application class
>>> which may make this option more viable.
>>>
>>> So in this case you have to have
>>> @Resource WebServiceContext jaxwsContext;
>>> @Context SecurityContext jaxrsSecurityContext;
>>>
>>> declared in your code. Next, you need to figure out whether it's a JAXWS
>>> or JAXRS invocation in progress, so you can do it like this
>>> // not sure at the moment how exactly to get security context from jaxws
>>> one
>>> if (jaxwsContext.getSecurityContext() == null) {
>>> checkPrincipal(jaxrsSecurityContext.getPrincipal());
>>> } else {
>>> checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
>>> }
>>>
>>> 2. Use Spring security - we have some simple tests showing how
>>> authentication and authorization can be done
>>>
>>> 3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
>>> simply extends JAXRSInvoker and is registered as an invoker property)
>>> where you can get all the info you need (method name, Principal, etc)
>>> For JAXWS : do a custom CXF in Interceptor which will throw Fault if
>>> needed.
>>>
>>> Perhaps there're more options... Let me know please if you need more
>>> info
>>> on any of the these options
>>>
>>> Cheers, Sergey
>>>
>>>
>>>
>>>
>>>
>>> Vishal.a wrote:
>>>>
>>>> Hello All,
>>>>
>>>> I have services written,that have both JaxRs and Jaxws.I have to
>>>> implement security on the services now.There are 2 things i need to do
>>>>
>>>> 1. Authentication - Using Basic Http Authentication
>>>> 2. Authorization - Secure each and every method.
>>>>
>>>> I have seen posts that show me how to do for either JaxRS or Jaxws,can
>>>> someone tell me what would be the best way to approach it for doing it
>>>> for both REST and SOAP.
>>>>
>>>> Any help is appreciated.
>>>>
>>>> Thanks,
>>>> Vishal
>>>>
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24303305.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>
--
View this message in context:
http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24315708.html
Sent from the cxf-user mailing list archive at Nabble.com.
