Yeah, Dan is correct, create a interceptor after WSS4JIn and there's
actually an X509Certificate created already.
In new created interceptor you can do something like
List<Object> results =
(Vector<Object>)message.get(WSHandlerConstants.RECV_RESULTS);
if (results == null) {
return;
}
for (Iterator iter = results.iterator(); iter.hasNext();) {
WSHandlerResult hr = (WSHandlerResult) iter.next();
if (hr == null || hr.getResults() == null) {
return;
}
for (Iterator it = hr.getResults().iterator();
it.hasNext();) {
WSSecurityEngineResult er =
(WSSecurityEngineResult) it.next();
if (er != null && er.getCertificate() instanceof
X509Certificate) {
X509Certificate cert = er.getCertificate();
//now you get X509Certificate you want
}
}
}
Freeman
On 2010-12-18, at 上午5:54, Daniel Kulp wrote:
Colm might be the better one to answer this if he's around.
My gut feeling was to add an interceptor just after the WSS4JIn and
grab the
WSS4J results from the message and find the X509 stuff in there.
There
likely might already be an X509Principal created that you would just
need to
authenticate.
Dan
On Friday 17 December 2010 10:50:33 am Juan Pedro Silva Gallino wrote:
Sorry, I had to resend as it got pulled into a different thread.
Below is the message.
Hi everybody. As always, let me first congratulate you on what a good
piece of software CXF is.
Now, on the subject that brings me here, I was able to secure my web
services in quite a straight forward way with the available
documentation.
I'm using a org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor for
validating timestamps, signatures, and encryption. Now I'm trying
to use
Spring Security (former Acegi) for authorization.
This is not a new topic, I've found quite a few threads of posts on
the
subject, most remarkably
http://www.mail-archive.com/[email protected]/msg09944.html (I
guess
http://code.google.com/p/cxf-spring-security/wiki/Documentation
derives
from it), but most deal with UsernameToken authentication as
opposed to
authentication based on X509 certificates. My first guess was to
try to
re-implement the same behavior for X509 tokens.
So, I parted from the code of the password callback handler in
http://nikofactory.blogspot.com/2009/10/receta-cxf-wss4j-y-spring-security
.
html
public class SecurityInPasswordHandler implements CallbackHandler {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userService;
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException, AuthenticationException {
WSPasswordCallback pwdCallback = (WSPasswordCallback)
callbacks[0];
int usage = pwdCallback.getUsage();
if ((usage == WSPasswordCallback.USERNAME_TOKEN) || (usage ==
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)) {
String password = pwdCallback.getPassword();
if (usage == WSPasswordCallback.USERNAME_TOKEN) {
UserDetails userDetails =
userService.loadUserByUsername(pwdCallback.getIdentifier());
password = userDetails.getPassword();
}
Authentication authentication = new
UsernamePasswordAuthenticationToken(pwdCallback.getIdentifier(),
password);
authentication =
authenticationManager.authenticate(authentication); //throws
AuthenticationException
SecurityContextHolder.getContext().setAuthentication(authentication);
// Return the password to the caller
pwdCallback.setPassword(password);
}
}
}
and figured I would try creating a X509AuthenticationToken instead
of a
UN token.
However, to create one I need a ||X509Certificate, and I don't know
where to get one from.
So, my questions would be two:
A) First of all, Is this the correct approach?, or am I missing the
big
picture here?
B) If this is the correct way to go, where can I get a
X509Certificate
from to create the X509AuthenticationToken?.
Any examples/hints/tips on how to create this wiring would be very
much
appreciated!!.
Regards,
Juan Pedro
--
Daniel Kulp
[email protected]
http://dankulp.com/blog
--
Freeman Fang
------------------------
FuseSource: http://fusesource.com
blog: http://freemanfang.blogspot.com
twitter: http://twitter.com/freemanfang
Apache Servicemix:http://servicemix.apache.org
Apache Cxf: http://cxf.apache.org
Apache Karaf: http://karaf.apache.org
Apache Felix: http://felix.apache.org
