Great, thanks Freeman!!, I'll try it as soon as I get back to the office. Thank you very much for your help!
2010/12/21 Freeman Fang <[email protected]> > Hi, > > Assume your interceptor name is MySecurityInterceptor, then the code should > be like > > public class MySecurityInterceptor extends AbstractWSS4JInterceptor { > > public MySecurityInterceptor() { > super(); > setPhase(Phase.PRE_PROTOCOL); > getAfter().add(WSS4JInInterceptor.class.getName()); > } > > public void handleMessage(SoapMessage message) throws Fault { > //the code I show you in my previous answer > } > } > > Hope this helps > > Freeman > > > > > On 2010-12-21, at 上午3:23, Juan Pedro Silva Gallino wrote: > > Thanks to both of you for your quick help. >> Somehow, my Interceptor is not getting pulled into the chain. >> I tried implementing interceptor (instantiation of the service failed >> miserably complaining it was not a phaseinterceptor) and then >> phaseinterceptor. >> In my endpoint configuration I got: >> >> <jaxws:inInterceptors> >> <ref bean="WarehouseEndTimestampSign_Request"/> >> <ref bean="SecurityConnector"/> >> </jaxws:inInterceptors> >> >> And in my interceptor: >> >> public Set getAfter() >> { >> String preInter = "WarehouseEndTimestampSign_Request"; >> Set st = new HashSet(); >> st.add(preInter); >> return st; >> } >> >> But it is never called (neither . getAfter nor handleMessage method). >> Just in case, I tell you that I'm using CXF 2.1.1. >> Any ideas which could be the reason?. >> >> Thanks again, >> JP >> >> >> El 18/12/2010 3:36, Freeman Fang escribió: >> >>> Yeah, Dan is correct, create a interceptor after WSS4JIn and there's >>> actually an X509Certificate created already. >>> >>> In new created interceptor you can do something like >>> >>> List<Object> results = >>> (Vector<Object>)message.get(WSHandlerConstants.RECV_RESULTS); >>> if (results == null) { >>> return; >>> } >>> for (Iterator iter = results.iterator(); iter.hasNext();) { >>> WSHandlerResult hr = (WSHandlerResult) iter.next(); >>> if (hr == null || hr.getResults() == null) { >>> return; >>> } >>> >>> for (Iterator it = hr.getResults().iterator(); >>> it.hasNext();) { >>> WSSecurityEngineResult er = (WSSecurityEngineResult) >>> it.next(); >>> >>> if (er != null && er.getCertificate() instanceof >>> X509Certificate) { >>> X509Certificate cert = er.getCertificate(); >>> //now you get X509Certificate you want >>> } >>> } >>> >>> } >>> Freeman >>> On 2010-12-18, at 上午5:54, Daniel Kulp wrote: >>> >>> >>>> Colm might be the better one to answer this if he's around. >>>> >>>> My gut feeling was to add an interceptor just after the WSS4JIn and grab >>>> the >>>> WSS4J results from the message and find the X509 stuff in there. There >>>> likely might already be an X509Principal created that you would just >>>> need to >>>> authenticate. >>>> >>>> Dan >>>> >>>> >>>> On Friday 17 December 2010 10:50:33 am Juan Pedro Silva Gallino wrote: >>>> >>>>> Sorry, I had to resend as it got pulled into a different thread. >>>>> Below is the message. >>>>> >>>>> Hi everybody. As always, let me first congratulate you on what a good >>>>> piece of software CXF is. >>>>> Now, on the subject that brings me here, I was able to secure my web >>>>> services in quite a straight forward way with the available >>>>> documentation. >>>>> I'm using a org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor for >>>>> validating timestamps, signatures, and encryption. Now I'm trying to >>>>> use >>>>> Spring Security (former Acegi) for authorization. >>>>> >>>>> This is not a new topic, I've found quite a few threads of posts on the >>>>> subject, most remarkably >>>>> http://www.mail-archive.com/[email protected]/msg09944.html (I >>>>> guess >>>>> http://code.google.com/p/cxf-spring-security/wiki/Documentationderives >>>>> from it), but most deal with UsernameToken authentication as opposed to >>>>> authentication based on X509 certificates. My first guess was to try to >>>>> re-implement the same behavior for X509 tokens. >>>>> So, I parted from the code of the password callback handler in >>>>> >>>>> http://nikofactory.blogspot.com/2009/10/receta-cxf-wss4j-y-spring-security >>>>> . >>>>> html >>>>> >>>>> >>>>> public class SecurityInPasswordHandler implements CallbackHandler { >>>>> @Autowired >>>>> private AuthenticationManager authenticationManager; >>>>> @Autowired >>>>> private UserDetailsService userService; >>>>> >>>>> public void handle(Callback[] callbacks) throws IOException, >>>>> UnsupportedCallbackException, AuthenticationException { >>>>> >>>>> WSPasswordCallback pwdCallback = (WSPasswordCallback) >>>>> callbacks[0]; >>>>> >>>>> int usage = pwdCallback.getUsage(); >>>>> if ((usage == WSPasswordCallback.USERNAME_TOKEN) || (usage == >>>>> WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)) { >>>>> String password = pwdCallback.getPassword(); >>>>> if (usage == WSPasswordCallback.USERNAME_TOKEN) { >>>>> UserDetails userDetails = >>>>> userService.loadUserByUsername(pwdCallback.getIdentifier()); >>>>> password = userDetails.getPassword(); >>>>> } >>>>> Authentication authentication = new >>>>> UsernamePasswordAuthenticationToken(pwdCallback.getIdentifier(), >>>>> password); >>>>> authentication = >>>>> authenticationManager.authenticate(authentication); //throws >>>>> AuthenticationException >>>>> >>>>> SecurityContextHolder.getContext().setAuthentication(authentication); >>>>> // Return the password to the caller >>>>> pwdCallback.setPassword(password); >>>>> } >>>>> } >>>>> } >>>>> >>>>> and figured I would try creating a X509AuthenticationToken instead of a >>>>> UN token. >>>>> However, to create one I need a ||X509Certificate, and I don't know >>>>> where to get one from. >>>>> >>>>> So, my questions would be two: >>>>> A) First of all, Is this the correct approach?, or am I missing the big >>>>> picture here? >>>>> B) If this is the correct way to go, where can I get a X509Certificate >>>>> from to create the X509AuthenticationToken?. >>>>> >>>>> Any examples/hints/tips on how to create this wiring would be very much >>>>> appreciated!!. >>>>> Regards, >>>>> Juan Pedro >>>>> >>>> >>>> -- >>>> Daniel Kulp >>>> [email protected] >>>> http://dankulp.com/blog >>>> >>> >>> >>> >> -- >> ------------------------------------------------------------------------ >> *Ing. Juan Pedro Silva Gallino* >> Email: [email protected] <mailto:[email protected]> >> *Doctorando en Ingeniería Telemática,* Tel: (34) 91 549 5700 Ext. 381* >> * >> Sistemas de Tiempo Real, >> Departamento en Ingeniería Telemática >> Fax: (34) 91 336 7333 >> Universidad Politécnica de Madrid >> URL: >> http://polaris.dit.upm.es/~psilva/<http://polaris.dit.upm.es/%7Epsilva/>< >> http://polaris.dit.upm.es/%7Epsilva/> >> /Paraninfo Ciudad Universitaria s/n, >> C.P.: /28040/, Madrid, >> España./ >> >> > > -- > Freeman Fang > > ------------------------ > > FuseSource: http://fusesource.com > blog: http://freemanfang.blogspot.com > twitter: http://twitter.com/freemanfang > Apache Servicemix:http://servicemix.apache.org > Apache Cxf: http://cxf.apache.org > Apache Karaf: http://karaf.apache.org > Apache Felix: http://felix.apache.org > >
