Colm might be the better one to answer this if he's around. My gut feeling was to add an interceptor just after the WSS4JIn and grab the WSS4J results from the message and find the X509 stuff in there. There likely might already be an X509Principal created that you would just need to authenticate.
Dan On Friday 17 December 2010 10:50:33 am Juan Pedro Silva Gallino wrote: > Sorry, I had to resend as it got pulled into a different thread. > Below is the message. > > Hi everybody. As always, let me first congratulate you on what a good > piece of software CXF is. > Now, on the subject that brings me here, I was able to secure my web > services in quite a straight forward way with the available documentation. > I'm using a org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor for > validating timestamps, signatures, and encryption. Now I'm trying to use > Spring Security (former Acegi) for authorization. > > This is not a new topic, I've found quite a few threads of posts on the > subject, most remarkably > http://www.mail-archive.com/[email protected]/msg09944.html (I guess > http://code.google.com/p/cxf-spring-security/wiki/Documentation derives > from it), but most deal with UsernameToken authentication as opposed to > authentication based on X509 certificates. My first guess was to try to > re-implement the same behavior for X509 tokens. > So, I parted from the code of the password callback handler in > http://nikofactory.blogspot.com/2009/10/receta-cxf-wss4j-y-spring-security. > html > > > public class SecurityInPasswordHandler implements CallbackHandler { > @Autowired > private AuthenticationManager authenticationManager; > @Autowired > private UserDetailsService userService; > > public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException, AuthenticationException { > > WSPasswordCallback pwdCallback = (WSPasswordCallback) > callbacks[0]; > > int usage = pwdCallback.getUsage(); > if ((usage == WSPasswordCallback.USERNAME_TOKEN) || (usage == > WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)) { > String password = pwdCallback.getPassword(); > if (usage == WSPasswordCallback.USERNAME_TOKEN) { > UserDetails userDetails = > userService.loadUserByUsername(pwdCallback.getIdentifier()); > password = userDetails.getPassword(); > } > Authentication authentication = new > UsernamePasswordAuthenticationToken(pwdCallback.getIdentifier(), password); > authentication = > authenticationManager.authenticate(authentication); //throws > AuthenticationException > > SecurityContextHolder.getContext().setAuthentication(authentication); > // Return the password to the caller > pwdCallback.setPassword(password); > } > } > } > > and figured I would try creating a X509AuthenticationToken instead of a > UN token. > However, to create one I need a ||X509Certificate, and I don't know > where to get one from. > > So, my questions would be two: > A) First of all, Is this the correct approach?, or am I missing the big > picture here? > B) If this is the correct way to go, where can I get a X509Certificate > from to create the X509AuthenticationToken?. > > Any examples/hints/tips on how to create this wiring would be very much > appreciated!!. > Regards, > Juan Pedro -- Daniel Kulp [email protected] http://dankulp.com/blog
