On Wed August 19 2009 1:20:25 pm Stephen Langella wrote: > Josef, > > I tried what you suggested but context.getUserPrincipal() returned > null. Keep in mind I am using X.509 client certificates to authenticate > with the server, I am trying to get the subject DN from the clients > certificate as opposed to a basic authentication user id. Is this > supported or am I doing something wrong? In Googling around I found a > JIRA issue related to this and it is not clear whether or not what I am > trying to do is supported: > > https://issues.apache.org/jira/browse/CXF-1680
That had to do with X509 things withing a WS-Security secured message, not really using certs for SSL/https. For https, what you probably need to do is pull the HttpServletRequest out of the context (context.get(MessageContext.SERVLET_REQUEST)) and then use the HttpServletRequest.getAttribute(...) call to retrieve the various HTTPS attributes. "javax.net.ssl.peer_certificates" and "javax.net.ssl.cipher_suite" and such. Dan > > I would appreciate if someone would comment, thanks in advance. > > --Steve > > Stephen Langella > Co-Director > Software Research Institute > Center for IT Innovations in Healthcare > Ohio State University > > Senior Researcher > Department of Biomedical Informatics > Ohio State University > > Office: (614) 293-9534 > Lab: (614) 292-8420 > [email protected] > > > From: Josef Bajada <[email protected]> > > Reply-To: <[email protected]> > > Date: Wed, 19 Aug 2009 15:03:05 +0200 > > To: <[email protected]> > > Subject: RE: Determining Caller's Identity > > > > If you use the servlet container's authentication and transport security > > methods (through WEB-INF/web.xml) to force authentication (such as HTTP > > BASIC Auth over HTTPS), you can simply put the following line in your > > service implementation class. > > > > > > /** > > * The web-service context will be automatically injected by the > > JAX-WS Container. > > */ > > @Resource > > private WebServiceContext context; > > > > > > //in your methods where you need to check the caller: > > if (context.getUserPrincipal() != null) > > { > > log.info(getUserPrincipal().getName() + ":: just called our > > methods"); > > } > > > > Regards, > > Josef > > > > > > > > -----Original Message----- > > From: Eamonn Dwyer [mailto:[email protected]] > > Sent: 19 August 2009 12:57 > > To: [email protected] > > Subject: RE: Determining Caller's Identity > > > > > > Hi Stephen > > Not quite what you want but maybe you could do something like this > > inside an interceptor rather than inside your service. > > > > TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class); > > Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates(); > > ... check the peer certificates and authorize based on this > > > > Regards > > Eamonn > > > >> From: [email protected] > >> To: [email protected] > >> Subject: Determining Caller's Identity > >> Date: Tue, 18 Aug 2009 14:37:12 -0400 > >> > >> I have written and Apache CXF Web Service (WSDL First), inside the > >> service I want to enforce authorization based on the identity of the > >> client that called the service. I wanted to know if there was an API > >> > >> call I can make from the service implementation to obtain the client > >> identity. For example if the client authenticate over HTTPS with a > >> client certificate. > >> > >> --Steve > >> > >> Stephen Langella > >> Co-Founder > >> Inventrio, LLC > >> www.inventrio.com > >> > >> [email protected] > > > > _________________________________________________________________ > > See all the ways you can stay connected to friends and family > > http://www.microsoft.com/windows/windowslive/default.aspx -- Daniel Kulp [email protected] http://www.dankulp.com/blog
