> -----Original Message----- > From: Sergey Beryozkin [mailto:[email protected]] > Sent: Monday, January 18, 2010 4:34 AM > To: [email protected] > Subject: Re: help implementing secured resource methods? > > Hi > > it's been awhile since I used <security-constraint>, etc. I think the > reason you get 401 in this case is that WebLogic has not been > configured with a WebLogic-specific configuration listing user > name/password pairs, because if you use the <security-constraint>/etc > you're actually relying on the underlying container to do the (basic) > authentication. And another thing to check here is that an > Authorization header containing a Basic authorization info is properly > formatted and that a 'username:password' has been > base64-encoded...
I've decided that I'm better off letting the container do the authentication and simple authorization and then doing fine-tuned authorization in my handler (my authorizations are data-based, not method-based, so Spring Security doesn't help me). I finally got through the role/group mapping stuff, so that my request with a valid Authorization header got serviced without a 401 or 403. However, I'm also seeing that when I get into my handler, the AuthorizationPolicy that I retrieve from the message is null. I can see the "Authorization" header right in the debugging. Is there something else I have to do to get my principal/credentials automatically parsed out so I don't have to do it manually? > So hopefully, once you make the first (authentication) step working > then the custom RequestHandler will be able to get Principal(s) > from an injected (thread-safe) SecurityContext in a RequestHandler and > then do some custom authorization decisions. > > Perhaps, rather than doing the custom authorization checks, you might > want to try to have SpringSecurity do it for you, ex, see [1]. > You can probably still rely on the (WebLogic) container doing the > actual authentication and the Principal allocation (as opposed to > Spring Security doing it, see security:http/security:http-basic) but > just configure SpringSecurity to do the actual method-level > authorization only. The test beans.xml at [1] relies on the @Secured > (or RolesAllowed) annotations but see [2] for an example on how > to do the declarative method authorizatiom in beans.xml > > Most likely, you'd still need a custom RequestHandler to check a > sessionId... > > let me know please what option you'd like to pursue and how it all > goes, > > cheers, Sergey > > > [1] > http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resou > rces/jaxrs_security/WEB-INF/beans.xml > [2] > http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resou > rces/jaxrs_security_no_annotations/WEB-INF/beans.xml > ----- Original Message ----- > From: "KARR, DAVID (ATTCINW)" <[email protected]> > To: <[email protected]> > Sent: Friday, January 15, 2010 10:03 PM > Subject: help implementing secured resource methods? > > > I need to investigate how I can implement some level of authorization > security for my resource methods. > > What I envision is that I will have one resource method that is > protected by basic auth (https), and all that does is return a session > id. All the other resource methods will require a session id that I > can > validate as either just existing, or perhaps to validate that the > authorization for the principal that owns that session is valid for the > "channel" this resource method represents (other resource methods will > represent other channels, which other principals are allowed to > access). > > I looked in the CXF doc for information about security and request > handlers. It appears that I can register a request handler that might > be able to do all of this work. I see that I can read the request > headers, and there is an example that shows how to read the basic auth > header. > > I think the next part has to do with configuring my app (the web.xml, > mostly) so that I can at least do manual authentication and > authorization. > > I then tried to send basic auth on my request. SoapUI doesn't appear > to > be able to send it just by providing the principal and credentials > (even > though it seems like it does), but when I manually formatted an > "Authorization" header (that I got from a Wikipedia article) I got an > immediate 401 back from my app, before it got to any of my code. That > seems to imply that I can't move forward without setting up the web.xml > file for security. > > Assuming this is true, can anyone suggest a minimal set of elements in > the web.xml that will allow me to do this? I've started with the > following: > > <security-constraint> > <web-resource-collection> > <web-resource-name>myapp</web-resource-name> > <url-pattern>/rest</url-pattern> > </web-resource-collection> > <auth-constraint> > </auth-constraint> > </security-constraint> > > <login-config> > <auth-method>BASIC</auth-method> > </login-config>
