Hi Here is a brief overview of how CXF can help.
JAASLoginInterceptor can get a CXF-specific UsernameToken (a simple bean containing the name, password, etc) or AuthorizationInfo bean (populated by transport-specific Destinations, for ex, from the HTTP Authorization header) and delegate to the container-managed authentication sub-system...JAASLoginInterceptor does not bypass it, it simply lets users to avoid relying on updating web.xml for this to happen, and it will work with Karaf/etc... So, when we are talking the legacy clients, you can have the custom fields extracted and UsernameToken created and saved on the current message and JAASLoginInterceptor will populate SecurityContext (with Principal, roles, etc). When you have WS-Security aware clients, you have two options, one is to register custom interceptors which will work with WSS4J Principals. If you have not only UsernameTokens to deal with then it's the only option. Another option is to set a "ws-security.validate.token" property - and this will let you to reuse JAASLoginInterceptor for populating the SecurityContext. SecurityContext populated by JAASLoginInterceptor can be cast to LoginSecurityContext, which will give you an access to the actual roles and Subject. This can be used for example to bridge between CXF SecurityContexts and Spring security contexts... Hope it heps a bit Sergey 2011/3/21 Alp Timurhan Çevik <[email protected]> > Hello, > > > > As I tried to state in my previous message, I have a scenario that involves > having some custom fields for auth information and I am trying to use spring > security with the auth info. I am not using ws security, but would like to > support it, fort he new clients,where as the old clients should not be > needed to send data with ws security. > > > > Further getting into the concept, I tried to implement the handlers such > that; > > > > 1. Intercept the oncoming message, which has fields like > <user>sdsd</user><password>asas<password> > > 2. Use WSS4JOutInterceptor to add WSSecurity related headers, if > headers not present > > 3. Intercept the same message again with WSS4JINInterceptor, > > a. and use spring security for checking auth info (this part is > unclear yet) > > b. could use JAAS here instead of WSS4JINInterceptor > > 4. Using simple auth interceptor to check for methods and roles. The > method and role mapping is needed, as different services run different > methods. > > > > So, the idea, is using custom fields as fields for keeping auth info and > constructing ws security related information from these fields. > > > > - do you think that makes sense, or am I just messing around ? > > - I have played around with phases, but have not been able to > complete step 2, does anyone have an idea how to do that ? > > > > Cheers, > > Alp > > > > > > > > > > > > -- Sergey Beryozkin Application Integration Division of Talend <http://www.talend.com> http://sberyozkin.blogspot.com
