> > No problem:) Ok I have implemented this feature. Now I tell me if > SecurityContext should be implemented (if Principal is null) for Basic > Interceptor like JAASLoginInterceptor which put a SecurityContext. The only > question is how set roles? But if we do that we could use > afterSimpleAuthorizingInterceptor
You can use org.apache.cxf.common.security.SimplePrincipal just to wrap up a principal name. DefaultSecurityContext (roles represented as Groups, org.apache.cxf.common.security.SimpleGroup helper is there) and RolePrefixSecurityContextImls (role names start with some prefix like ROLE_) can be used to provide a SecurityContext on a current message. They all expect a Subject instance which you can easily create with the help of SimplePrincipal (and SimpleGroup if needed) Cheers, Sergey > > Regards Angelo > > >> On Tue, Jun 14, 2011 at 10:54 AM, Angelo zerr <[email protected]> >> wrote: >> > Ok I believe understand your idea about realm. I have added a setter in >> my >> > Interceptor : >> > >> > AbstractBasicAuthAuthorizationInterceptor#setRealName(String realName) >> which >> > compute WWW-Authenticate. >> > Ex : AbstractBasicAuthAuthorizationInterceptor#setRealName("MyRealm") >> will >> > returns >> > >> > WWW-Authenticate: Basic realm="MyRealm" >> > >> > If no realm defined, WWW-Authenticate is not returned. Is that your >> idea? >> > WWW-Authenticate is not required? Do you think we should set a default >> value >> > for Realm? >> > >> > Regards Angelo >> > >> > 2011/6/14 Angelo zerr <[email protected]> >> > >> >> Hi Sergey, >> >> >> >> 2011/6/14 Sergey Beryozkin <[email protected]> >> >> >> >>> Hi >> >>> >> >>> That interceptor should be more neutral, should' not extend a SOAP >> >>> interceptor. >> >>> >> >> >> >> Ok, I have done like JAASLoginInterceptor (extends >> >> AbstractPhaseInterceptor<Message> + constructor initialized with >> >> super(Phase.UNMARSHAL);) and it works. >> >> >> >> >> >>> The other thing you may want to do is to configure it with a realm >> >>> name and if it's not set then >> >>> do not add a realm parameter to the response. >> >>> >> >> >> >> Could you explain me more your idea please. >> >> >> >> >> >>> >> >>> FYI, CXF ships JAASLoginInterceptor - which will check if Basic (or >> >>> other similar HTTP Authorization type was set) >> >>> and then will delegate to JAAS to do the actual authentication: >> >>> http://cxf.apache.org/docs/security.html#Security-Authentication >> >>> >> >>> I propose that you create a patch in rt/core, >> >>> org.apache.cxf.interceptor.security package, that will make it easier >> >>> for me to move the relevant code to a rt/security module >> >>> >> >> >> >> My first idea is to create a WTP sample application with my code (I have >> >> created org.apache.cxf.interceptor.security.basic package) and send you >> with >> >> sample which work. >> >> After I could create a patch if you need. >> >> >> >> Regards Angelo >> >> >> >>> >> >>> Thanks, Sergey >> >>> >> >>> On Tue, Jun 14, 2011 at 7:38 AM, Angelo zerr <[email protected]> >> >>> wrote: >> >>> > Hi Freeman, >> >>> > >> >>> > Thank a lot for your answer. I will prepare you a contribution and >> send >> >>> you. >> >>> > >> >>> > Regards Angelo >> >>> > >> >>> > 2011/6/14 Freeman Fang <[email protected]> >> >>> > >> >>> >> Hi, >> >>> >> >> >>> >> Sure, any contribution is welcome. >> >>> >> >> >>> >> And in CXF we also can use jetty security handler to enable basic >> auth >> >>> >> which can configure the realm easily, we have a system testcase for >> >>> it[1], >> >>> >> you may wanna take a look. >> >>> >> >> >>> >> [1] >> >>> >> >> >>> >> https://svn.apache.org/repos/asf/cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/JettyBasicAuthTest.java >> >>> >> Freeman >> >>> >> >> >>> >> On 2011-6-13, at 下午11:34, Angelo zerr wrote: >> >>> >> >> >>> >> Hi CXF Team, >> >>> >>> >> >>> >>> I would like to manage WebService with HTTP Basic CXF Interceptor >> and >> >>> I >> >>> >>> have >> >>> >>> not found this interceptor in the CXF. So I have used the great >> code >> >>> from >> >>> >>> >> >>> >>> >> >>> >> http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/and >> >>> >>> it works great. >> >>> >>> I have noticed that some projects like >> >>> >>> >> >>> >>> >> >>> >> http://code.google.com/p/fenius/source/browse/trunk/fenius-util/src/main/java/is/glif/fenius/util/BasicAuthAuthorizationInterceptor.java?r=111have >> >>> >>> used this code and I tell me why CXF doesn't include the >> >>> >>> BasicAuthAuthorizationInterceptor class? >> >>> >>> >> >>> >>> I have modified BasicAuthAuthorizationInterceptor to delegate >> >>> >>> user/password >> >>> >>> to another interface implementation and if you wish I could send >> you >> >>> my >> >>> >>> work >> >>> >>> and tell to the author of the BasicAuthAuthorizationInterceptor if >> he >> >>> is >> >>> >>> OK >> >>> >>> to contribute to CXF. >> >>> >>> >> >>> >>> Thank a lot for your answer. >> >>> >>> >> >>> >>> Regards Angelo >> >>> >>> >> >>> >> >> >>> >> --------------------------------------------- >> >>> >> Freeman Fang >> >>> >> >> >>> >> FuseSource >> >>> >> Email:[email protected] >> >>> >> Web: fusesource.com >> >>> >> Twitter: freemanfang >> >>> >> Blog: http://freemanfang.blogspot.com >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> > >> >>> >> >> >> >> >> > >> >> >> >> -- >> Sergey Beryozkin >> >> Application Integration Division of Talend >> http://sberyozkin.blogspot.com >> >
