Hi Can you explain please what BasicAuthAuthorizationInterceptor actually does ?
We really need source of that interceptor, ideally attached as a patch to JIRA thanks, Sergey On Tue, Jun 14, 2011 at 4:23 PM, Angelo zerr <[email protected]> wrote: > Hi Sergey, > > I have attached a zip with my work. It's a WTP Eclipse project where you can > find BasicAuthAuthorizationInterceptor in the > org.apache.cxf.interceptor.security.basic package. > There is a sample with Basic authentification authorization with NO roles : > > --------------------------------------------------------- > <!-- WebServices with Basic Authentification Authorization --> > <jaxws:endpoint xmlns:tns="http://server.sample/"; id="helloworld" > implementor="sample.server.HelloWorld" > wsdlLocation="wsdl/helloworld.wsdl" > endpointName="tns:HelloWorldPort" > serviceName="tns:HelloWorldService" > address="/HelloWorldPort"> > <jaxws:features> > <bean class="org.apache.cxf.feature.LoggingFeature" /> > </jaxws:features> > <jaxws:inInterceptors> > <ref bean="basicAuthAuthorization1" /> > </jaxws:inInterceptors> > </jaxws:endpoint> > > <bean id="basicAuthAuthorization1" > > class="org.apache.cxf.interceptor.security.basic.BasicAuthAuthorizationInterceptor"> > <property name="realmName" value="MyRealm" /> > <property name="authorizationContext"> > <bean > > class="org.apache.cxf.interceptor.security.basic.SimpleBasicAuthAuthorizationContext"> > <property name="usersMap"> > <map> > <entry key="ffang" value="pswd" /> > </map> > </property> > </bean> > </property> > </bean> > ---------------------------------------------------------- > > And sample with Basic authentification authorization with roles : > > ---------------------------------------------------------- > > <!-- WebServices with Basic Authentification Authorization + Roles --> > <jaxws:endpoint xmlns:tns="http://server.sample/"; id="helloworld2" > implementor="sample.server.HelloWorld" > wsdlLocation="wsdl/helloworld.wsdl" > endpointName="tns:HelloWorldPort" > serviceName="tns:HelloWorldService" > address="/HelloWorldPort2"> > <jaxws:features> > <bean class="org.apache.cxf.feature.LoggingFeature" /> > </jaxws:features> > <jaxws:inInterceptors> > <ref bean="basicAuthAuthorization2" /> > <ref bean="authorizationInterceptor" /> > </jaxws:inInterceptors> > </jaxws:endpoint> > > <bean id="basicAuthAuthorization2" > > class="org.apache.cxf.interceptor.security.basic.BasicAuthAuthorizationInterceptor"> > <property name="realmName" value="MyRealm" /> > <property name="authorizationContext"> > <bean > > class="org.apache.cxf.interceptor.security.basic.SimpleBasicAuthAuthorizationContext"> > <property name="usersMap"> > <map> > <entry key="ffang" value="pswd" /> > </map> > </property> > <property name="userRolesContext"> > <bean > > class="org.apache.cxf.interceptor.security.basic.SimpleUserRolesContext"> > <property name="userRolesMap"> > <map> > <entry key="ffang" value="ROLE1 ROLE2" /> > </map> > </property> > </bean> > </property> > </bean> > </property> > </bean> > > <bean id="authorizationInterceptor" > > class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"> > <property name="methodRolesMap"> > <map> > <entry key="hello" value="ROLE1" /> > </map> > </property> > </bean> > ---------------------------------------------------------- > > If you start your server at localhost 8080 you can launch teh client : > > * HelloWorld_PortTypeClient which call the first service (with no roles). > * HelloWorld_PortTypeClient2 which call the second service (with roles). > > Everything works with interface and I have implemented with Simple* class > which works with Map but you can implements with another mean if you wish. > > Hope you will like it. > > Regards Angelo > 2011/6/14 Sergey Beryozkin <[email protected]> >> >> > >> > No problem:) Ok I have implemented this feature. Now I tell me if >> > SecurityContext should be implemented (if Principal is null) for Basic >> > Interceptor like JAASLoginInterceptor which put a SecurityContext. The >> > only >> > question is how set roles? But if we do that we could use >> > afterSimpleAuthorizingInterceptor >> >> You can use org.apache.cxf.common.security.SimplePrincipal just to >> wrap up a principal name. >> DefaultSecurityContext (roles represented as Groups, >> org.apache.cxf.common.security.SimpleGroup helper is there) and >> RolePrefixSecurityContextImls (role names start with some prefix like >> ROLE_) can be used to provide a SecurityContext on a current message. >> They all expect a Subject instance which you can easily create with >> the help of SimplePrincipal (and SimpleGroup if needed) >> >> Cheers, Sergey >> >> >> > >> > Regards Angelo >> > >> > >> >> On Tue, Jun 14, 2011 at 10:54 AM, Angelo zerr <[email protected]> >> >> wrote: >> >> > Ok I believe understand your idea about realm. I have added a setter >> >> > in >> >> my >> >> > Interceptor : >> >> > >> >> > AbstractBasicAuthAuthorizationInterceptor#setRealName(String >> >> > realName) >> >> which >> >> > compute WWW-Authenticate. >> >> > Ex : AbstractBasicAuthAuthorizationInterceptor#setRealName("MyRealm") >> >> will >> >> > returns >> >> > >> >> > WWW-Authenticate: Basic realm="MyRealm" >> >> > >> >> > If no realm defined, WWW-Authenticate is not returned. Is that your >> >> idea? >> >> > WWW-Authenticate is not required? Do you think we should set a >> >> > default >> >> value >> >> > for Realm? >> >> > >> >> > Regards Angelo >> >> > >> >> > 2011/6/14 Angelo zerr <[email protected]> >> >> > >> >> >> Hi Sergey, >> >> >> >> >> >> 2011/6/14 Sergey Beryozkin <[email protected]> >> >> >> >> >> >>> Hi >> >> >>> >> >> >>> That interceptor should be more neutral, should' not extend a SOAP >> >> >>> interceptor. >> >> >>> >> >> >> >> >> >> Ok, I have done like JAASLoginInterceptor (extends >> >> >> AbstractPhaseInterceptor<Message> + constructor initialized with >> >> >> super(Phase.UNMARSHAL);) and it works. >> >> >> >> >> >> >> >> >>> The other thing you may want to do is to configure it with a realm >> >> >>> name and if it's not set then >> >> >>> do not add a realm parameter to the response. >> >> >>> >> >> >> >> >> >> Could you explain me more your idea please. >> >> >> >> >> >> >> >> >>> >> >> >>> FYI, CXF ships JAASLoginInterceptor - which will check if Basic (or >> >> >>> other similar HTTP Authorization type was set) >> >> >>> and then will delegate to JAAS to do the actual authentication: >> >> >>> http://cxf.apache.org/docs/security.html#Security-Authentication >> >> >>> >> >> >>> I propose that you create a patch in rt/core, >> >> >>> org.apache.cxf.interceptor.security package, that will make it >> >> >>> easier >> >> >>> for me to move the relevant code to a rt/security module >> >> >>> >> >> >> >> >> >> My first idea is to create a WTP sample application with my code (I >> >> >> have >> >> >> created org.apache.cxf.interceptor.security.basic package) and send >> >> >> you >> >> with >> >> >> sample which work. >> >> >> After I could create a patch if you need. >> >> >> >> >> >> Regards Angelo >> >> >> >> >> >>> >> >> >>> Thanks, Sergey >> >> >>> >> >> >>> On Tue, Jun 14, 2011 at 7:38 AM, Angelo zerr >> >> >>> <[email protected]> >> >> >>> wrote: >> >> >>> > Hi Freeman, >> >> >>> > >> >> >>> > Thank a lot for your answer. I will prepare you a contribution >> >> >>> > and >> >> send >> >> >>> you. >> >> >>> > >> >> >>> > Regards Angelo >> >> >>> > >> >> >>> > 2011/6/14 Freeman Fang <[email protected]> >> >> >>> > >> >> >>> >> Hi, >> >> >>> >> >> >> >>> >> Sure, any contribution is welcome. >> >> >>> >> >> >> >>> >> And in CXF we also can use jetty security handler to enable >> >> >>> >> basic >> >> auth >> >> >>> >> which can configure the realm easily, we have a system testcase >> >> >>> >> for >> >> >>> it[1], >> >> >>> >> you may wanna take a look. >> >> >>> >> >> >> >>> >> [1] >> >> >>> >> >> >> >>> >> >> >> >> https://svn.apache.org/repos/asf/cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/JettyBasicAuthTest.java >> >> >>> >> Freeman >> >> >>> >> >> >> >>> >> On 2011-6-13, at 下午11:34, Angelo zerr wrote: >> >> >>> >> >> >> >>> >> Hi CXF Team, >> >> >>> >>> >> >> >>> >>> I would like to manage WebService with HTTP Basic CXF >> >> >>> >>> Interceptor >> >> and >> >> >>> I >> >> >>> >>> have >> >> >>> >>> not found this interceptor in the CXF. So I have used the great >> >> code >> >> >>> from >> >> >>> >>> >> >> >>> >>> >> >> >>> >> >> >> >> http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/and >> >> >>> >>> it works great. >> >> >>> >>> I have noticed that some projects like >> >> >>> >>> >> >> >>> >>> >> >> >>> >> >> >> >> http://code.google.com/p/fenius/source/browse/trunk/fenius-util/src/main/java/is/glif/fenius/util/BasicAuthAuthorizationInterceptor.java?r=111have >> >> >>> >>> used this code and I tell me why CXF doesn't include the >> >> >>> >>> BasicAuthAuthorizationInterceptor class? >> >> >>> >>> >> >> >>> >>> I have modified BasicAuthAuthorizationInterceptor to delegate >> >> >>> >>> user/password >> >> >>> >>> to another interface implementation and if you wish I could >> >> >>> >>> send >> >> you >> >> >>> my >> >> >>> >>> work >> >> >>> >>> and tell to the author of the BasicAuthAuthorizationInterceptor >> >> >>> >>> if >> >> he >> >> >>> is >> >> >>> >>> OK >> >> >>> >>> to contribute to CXF. >> >> >>> >>> >> >> >>> >>> Thank a lot for your answer. >> >> >>> >>> >> >> >>> >>> Regards Angelo >> >> >>> >>> >> >> >>> >> >> >> >>> >> --------------------------------------------- >> >> >>> >> Freeman Fang >> >> >>> >> >> >> >>> >> FuseSource >> >> >>> >> Email:[email protected] >> >> >>> >> Web: fusesource.com >> >> >>> >> Twitter: freemanfang >> >> >>> >> Blog: http://freemanfang.blogspot.com >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> > >> >> >>> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >> >> -- >> >> Sergey Beryozkin >> >> >> >> Application Integration Division of Talend >> >> http://sberyozkin.blogspot.com >> >> >> > > > -- Sergey Beryozkin Application Integration Division of Talend http://sberyozkin.blogspot.com
