Eamonn,
Eamonn,
Thanks you for this information, I tried what you suggested and got what
I need working, thanks again.
--Steve
Stephen Langella
Co-Director
Software Research Institute
Center for IT Innovations in Healthcare
Ohio State University
Senior Researcher
Department of Biomedical Informatics
Ohio State University
Office: (614) 293-9534
Lab: (614) 292-8420
[email protected]
> From: Eamonn Dwyer <[email protected]>
> Reply-To: <[email protected]>
> Date: Thu, 20 Aug 2009 14:37:45 +0100
> To: <[email protected]>
> Subject: RE: Determining Caller's Identity
>
>
> Hi Dan and Dan
> I think the attribute names maybe slightly different to the ones mentioned
> below - looking at the code in SSLUtils.java propagateSecureSession they seem
> to be
> "javax.servlet.request.cipher_suite" and
> "javax.servlet.request.X509Certificate".
>
> or if you feel like going the interceptor route the code would look something
> like (though you will need to add code to distinguish between the clients own
> certificate and the client's own certificate's CA chain
>
> ....
>
>
> public class TestInterceptor extends AbstractPhaseInterceptor<Message> {
>
> public TestInterceptor() {
> super(Phase.RECEIVE);
> }
>
> public void handleMessage(Message message) throws Fault {
> // TODO Auto-generated method stub
> TLSSessionInfo tlsSessionInfo =
> (TLSSessionInfo)message.get(TLSSessionInfo.class);
> Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
> for (int i = 0; i < peerCerts.length; i++) {
> X509Certificate x509certificate = (X509Certificate)peerCerts[i];
> System.out.println("x509certificate " +
> x509certificate.getSubjectDN());
>
> }
>
> }
>
> }
>
> the output would look like
> x509certificate CN=bob, OU=eng, O=mycompany.com
> x509certificate CN=trent, OU=eng, O=mycompany.com
>
>
> Regs
> Eamonn
>
>
>> From: [email protected]
>> To: [email protected]
>> Subject: Re: Determining Caller's Identity
>> Date: Wed, 19 Aug 2009 13:53:49 -0400
>> CC: [email protected]
>>
>> On Wed August 19 2009 1:20:25 pm Stephen Langella wrote:
>>> Josef,
>>>
>>> I tried what you suggested but context.getUserPrincipal() returned
>>> null. Keep in mind I am using X.509 client certificates to authenticate
>>> with the server, I am trying to get the subject DN from the clients
>>> certificate as opposed to a basic authentication user id. Is this
>>> supported or am I doing something wrong? In Googling around I found a
>>> JIRA issue related to this and it is not clear whether or not what I am
>>> trying to do is supported:
>>>
>>> https://issues.apache.org/jira/browse/CXF-1680
>>
>> That had to do with X509 things withing a WS-Security secured message, not
>> really using certs for SSL/https. For https, what you probably need to do
>> is
>> pull the HttpServletRequest out of the context
>> (context.get(MessageContext.SERVLET_REQUEST)) and then use the
>> HttpServletRequest.getAttribute(...) call to retrieve the various HTTPS
>> attributes. "javax.net.ssl.peer_certificates" and
>> "javax.net.ssl.cipher_suite" and such.
>>
>> Dan
>>
>>
>>>
>>> I would appreciate if someone would comment, thanks in advance.
>>>
>>> --Steve
>>>
>>> Stephen Langella
>>> Co-Director
>>> Software Research Institute
>>> Center for IT Innovations in Healthcare
>>> Ohio State University
>>>
>>> Senior Researcher
>>> Department of Biomedical Informatics
>>> Ohio State University
>>>
>>> Office: (614) 293-9534
>>> Lab: (614) 292-8420
>>> [email protected]
>>>
>>>> From: Josef Bajada <[email protected]>
>>>> Reply-To: <[email protected]>
>>>> Date: Wed, 19 Aug 2009 15:03:05 +0200
>>>> To: <[email protected]>
>>>> Subject: RE: Determining Caller's Identity
>>>>
>>>> If you use the servlet container's authentication and transport security
>>>> methods (through WEB-INF/web.xml) to force authentication (such as HTTP
>>>> BASIC Auth over HTTPS), you can simply put the following line in your
>>>> service implementation class.
>>>>
>>>>
>>>> /**
>>>> * The web-service context will be automatically injected by the
>>>> JAX-WS Container.
>>>> */
>>>> @Resource
>>>> private WebServiceContext context;
>>>>
>>>>
>>>> //in your methods where you need to check the caller:
>>>> if (context.getUserPrincipal() != null)
>>>> {
>>>> log.info(getUserPrincipal().getName() + ":: just called our
>>>> methods");
>>>> }
>>>>
>>>> Regards,
>>>> Josef
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Eamonn Dwyer [mailto:[email protected]]
>>>> Sent: 19 August 2009 12:57
>>>> To: [email protected]
>>>> Subject: RE: Determining Caller's Identity
>>>>
>>>>
>>>> Hi Stephen
>>>> Not quite what you want but maybe you could do something like this
>>>> inside an interceptor rather than inside your service.
>>>>
>>>> TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class);
>>>> Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
>>>> ... check the peer certificates and authorize based on this
>>>>
>>>> Regards
>>>> Eamonn
>>>>
>>>>> From: [email protected]
>>>>> To: [email protected]
>>>>> Subject: Determining Caller's Identity
>>>>> Date: Tue, 18 Aug 2009 14:37:12 -0400
>>>>>
>>>>> I have written and Apache CXF Web Service (WSDL First), inside the
>>>>> service I want to enforce authorization based on the identity of the
>>>>> client that called the service. I wanted to know if there was an API
>>>>>
>>>>> call I can make from the service implementation to obtain the client
>>>>> identity. For example if the client authenticate over HTTPS with a
>>>>> client certificate.
>>>>>
>>>>> --Steve
>>>>>
>>>>> Stephen Langella
>>>>> Co-Founder
>>>>> Inventrio, LLC
>>>>> www.inventrio.com
>>>>>
>>>>> [email protected]
>>>>
>>>> _________________________________________________________________
>>>> See all the ways you can stay connected to friends and family
>>>> http://www.microsoft.com/windows/windowslive/default.aspx
>>
>> --
>> Daniel Kulp
>> [email protected]
>> http://www.dankulp.com/blog
>
> _________________________________________________________________
> See all the ways you can stay connected to friends and family
> http://www.microsoft.com/windows/windowslive/default.aspx
