Hi,
To test your approach I overrode the
protected SecurityContext createSecurityContext(final Principal p,
final Subject subject) {
in my interceptor that extends AbstractUsernameTokenInInterceptor
@Override
protected SecurityContext createSecurityContext(final Principal p,
final Subject subject) {
List<Principal> principals = new
ArrayList<Principal>(subject.getPrincipals());
Principal principal =
principals.size() > 0 && !(principals.get(0) instanceof
Group) ?
(Principal) principals.get(0) : p;
return new DefaultSecurityContext(principal, subject);
}
Works very nicely. In my createSubject method I actually insert the
Authentication class as the first principal and now I can get access
to this class in the WebServiceContext getUserPrincipal() method.
Would be great to see this code added to the
AbstractSecurityContextInInterceptor
Thanks
Jason
On Sat, Nov 6, 2010 at 5:22 AM, Sergey Beryozkin <[email protected]> wrote:
> Hi
>
> On Fri, Nov 5, 2010 at 2:21 PM, Jason Pell <[email protected]> wrote:
>
>> Hi,
>>
>> I am struggling with configuring CXF and spring security. I am running the
>> 2.3.1-SNAPSHOT which has some improvements to the WSS4JInInterceptor. So
>> basically what I have is a JAX-WS service using ws-security to authenticate
>> using username password token. The username is the uid= of the DN of a
>> user
>> record in LDAP.
>>
>> What I want is for the Principal saved into teh CXF SecurityContext to have
>> the Full DN of the user.
>>
>> So what I have setup by way of interceptors are:
>>
>> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
>> (ws-security.ut.no-callbacks = true)
>> I have a custom class which extends
>> org.apache.cxf.interceptor.security.AbstractUsernameTokenInInterceptor to
>> use spring security to create the Subject. I am creating a subject with
>> the
>> full DN of the user.
>>
>> However the
>> org.apache.cxf.interceptor.security.AbstractSecurityContextInInterceptor
>> ignores this and recreates the SecurityContext with the original username
>>
>> SecurityContext sc = createSecurityContext(context.getUserPrincipal(),
>> subject);
>>
>>
> the assumption was that the Principal created by WSS4J initially does
> represent the final/correct Principal.
> So may be the interceptor should be updated like this :
>
> List<?> principals = subject.getPrincipals();
>
> Principal p = principals.size() > 0 && !(principals.get(0) instanceof Group)
>
> ? (Principal)principals.get(0) :
> context.getUserPrincipal();
>
> SecurityContext sc = createSecurityContext(p, subject);
>
> something like that...
>
> What do you think ?
>
> cheers, Sergey
>
>
> So I am kind of up the creek without any kind of paddle :-)
>>
>> Any suggestions for how I might proceed. I guess I can always create my
>> own
>> interceptor from scratch to do this. I already did the same thing to
>> populate the full DN of groups.
>>
>
