Thanks to both of you for your quick help.
Somehow, my Interceptor is not getting pulled into the chain.
I tried implementing interceptor (instantiation of the service failed
miserably complaining it was not a phaseinterceptor) and then
phaseinterceptor.
In my endpoint configuration I got:
<jaxws:inInterceptors>
<ref bean="WarehouseEndTimestampSign_Request"/>
<ref bean="SecurityConnector"/>
</jaxws:inInterceptors>
And in my interceptor:
public Set getAfter()
{
String preInter = "WarehouseEndTimestampSign_Request";
Set st = new HashSet();
st.add(preInter);
return st;
}
But it is never called (neither . getAfter nor handleMessage method).
Just in case, I tell you that I'm using CXF 2.1.1.
Any ideas which could be the reason?.
Thanks again,
JP
El 18/12/2010 3:36, Freeman Fang escribió:
Yeah, Dan is correct, create a interceptor after WSS4JIn and there's
actually an X509Certificate created already.
In new created interceptor you can do something like
List<Object> results =
(Vector<Object>)message.get(WSHandlerConstants.RECV_RESULTS);
if (results == null) {
return;
}
for (Iterator iter = results.iterator(); iter.hasNext();) {
WSHandlerResult hr = (WSHandlerResult) iter.next();
if (hr == null || hr.getResults() == null) {
return;
}
for (Iterator it = hr.getResults().iterator();
it.hasNext();) {
WSSecurityEngineResult er =
(WSSecurityEngineResult) it.next();
if (er != null && er.getCertificate()
instanceof X509Certificate) {
X509Certificate cert = er.getCertificate();
//now you get X509Certificate you want
}
}
}
Freeman
On 2010-12-18, at 上午5:54, Daniel Kulp wrote:
Colm might be the better one to answer this if he's around.
My gut feeling was to add an interceptor just after the WSS4JIn and
grab the
WSS4J results from the message and find the X509 stuff in there. There
likely might already be an X509Principal created that you would just
need to
authenticate.
Dan
On Friday 17 December 2010 10:50:33 am Juan Pedro Silva Gallino wrote:
Sorry, I had to resend as it got pulled into a different thread.
Below is the message.
Hi everybody. As always, let me first congratulate you on what a good
piece of software CXF is.
Now, on the subject that brings me here, I was able to secure my web
services in quite a straight forward way with the available
documentation.
I'm using a org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor for
validating timestamps, signatures, and encryption. Now I'm trying to
use
Spring Security (former Acegi) for authorization.
This is not a new topic, I've found quite a few threads of posts on the
subject, most remarkably
http://www.mail-archive.com/[email protected]/msg09944.html (I guess
http://code.google.com/p/cxf-spring-security/wiki/Documentation derives
from it), but most deal with UsernameToken authentication as opposed to
authentication based on X509 certificates. My first guess was to try to
re-implement the same behavior for X509 tokens.
So, I parted from the code of the password callback handler in
http://nikofactory.blogspot.com/2009/10/receta-cxf-wss4j-y-spring-security.
html
public class SecurityInPasswordHandler implements CallbackHandler {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userService;
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException, AuthenticationException {
WSPasswordCallback pwdCallback = (WSPasswordCallback)
callbacks[0];
int usage = pwdCallback.getUsage();
if ((usage == WSPasswordCallback.USERNAME_TOKEN) || (usage ==
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)) {
String password = pwdCallback.getPassword();
if (usage == WSPasswordCallback.USERNAME_TOKEN) {
UserDetails userDetails =
userService.loadUserByUsername(pwdCallback.getIdentifier());
password = userDetails.getPassword();
}
Authentication authentication = new
UsernamePasswordAuthenticationToken(pwdCallback.getIdentifier(),
password);
authentication =
authenticationManager.authenticate(authentication); //throws
AuthenticationException
SecurityContextHolder.getContext().setAuthentication(authentication);
// Return the password to the caller
pwdCallback.setPassword(password);
}
}
}
and figured I would try creating a X509AuthenticationToken instead of a
UN token.
However, to create one I need a ||X509Certificate, and I don't know
where to get one from.
So, my questions would be two:
A) First of all, Is this the correct approach?, or am I missing the big
picture here?
B) If this is the correct way to go, where can I get a X509Certificate
from to create the X509AuthenticationToken?.
Any examples/hints/tips on how to create this wiring would be very much
appreciated!!.
Regards,
Juan Pedro
--
Daniel Kulp
[email protected]
http://dankulp.com/blog
--
------------------------------------------------------------------------
*Ing. Juan Pedro Silva Gallino*
Email: [email protected] <mailto:[email protected]>
*Doctorando en Ingeniería Telemática,* Tel: (34) 91 549 5700 Ext. 381*
*
Sistemas de Tiempo Real,
Departamento en Ingeniería Telemática
Fax: (34) 91 336 7333
Universidad Politécnica de Madrid
URL: http://polaris.dit.upm.es/~psilva/
<http://polaris.dit.upm.es/%7Epsilva/>
/Paraninfo Ciudad Universitaria s/n,
C.P.: /28040/, Madrid,
España./
