Hints on wiring CXF WSS4J X509 validation with Spring Security (former Acegi).

Fri, 17 Dec 2010 06:40:42 -0800

Hi everybody. As always, let me first congratulate you on what a good piece of software CXF is. Now, on the subject that brings me here, I was able to secure my web services in quite a straight forward way with the available documentation. I'm using a org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor for validating timestamps, signatures, and encryption. Now I'm trying to use Spring Security (former Acegi) for authorization.
This is not a new topic, I've found quite a few threads of posts on the subject, most remarkably http://www.mail-archive.com/[email protected]/msg09944.html (I guess http://code.google.com/p/cxf-spring-security/wiki/Documentation derives from it), but most deal with UsernameToken authentication as opposed to authentication based on X509 certificates. My first guess was to try to re-implement the same behavior for X509 tokens. So, I parted from the code of the password callback handler in http://nikofactory.blogspot.com/2009/10/receta-cxf-wss4j-y-spring-security.html : 

public class SecurityInPasswordHandler implements CallbackHandler {
    @Autowired
    private AuthenticationManager authenticationManager;
    @Autowired
    private UserDetailsService userService;

    public void handle(Callback[] callbacks) throws IOException, 
UnsupportedCallbackException, AuthenticationException {

        WSPasswordCallback pwdCallback = (WSPasswordCallback) callbacks[0];

        int usage = pwdCallback.getUsage();
        if ((usage == WSPasswordCallback.USERNAME_TOKEN) || (usage == 
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)) {
            String password = pwdCallback.getPassword();
            if (usage == WSPasswordCallback.USERNAME_TOKEN) {
                UserDetails userDetails = 
userService.loadUserByUsername(pwdCallback.getIdentifier());
                password = userDetails.getPassword();
            }
            Authentication authentication = new 
UsernamePasswordAuthenticationToken(pwdCallback.getIdentifier(), password);
            authentication = 
authenticationManager.authenticate(authentication); //throws 
AuthenticationException
            
SecurityContextHolder.getContext().setAuthentication(authentication);
            // Return the password to the caller
            pwdCallback.setPassword(password);
        }
    }
}


and figured I would try creating a X509AuthenticationToken instead of a 
UN token.
However, to create one I need a ||X509Certificate, and I don't know 
where to get one from.


So, my questions would be two:

A) First of all, Is this the correct approach?, or am I missing the big 
picture here?
B) If this is the correct way to go, where can I get a X509Certificate 
from to create the X509AuthenticationToken?.



Any examples/hints/tips on how to create this wiring would be very much 
appreciated!!.

Regards,
                Juan Pedro



























					Reply via email to