I can actually see the source (thanks to Christian for pointing me to it :-)) but I'd like to understand what are you trying to do besides enforcing that BasicAuth is there. I thought you needed to get username & password and get the custom authentication done by interacting somehow with your custom SecurityManager, right ? I'm not sure we can generilize that process in CXF itself, the process of communicating with the custom SecurityManager - JAAS or/and Spring is there for that. > Can you explain please what BasicAuthAuthorizationInterceptor actually does ?
That is why I asked this question :-) thanks, Sergey On Tue, Jun 14, 2011 at 4:50 PM, Sergey Beryozkin <[email protected]> wrote: > Hi > Can you explain please what BasicAuthAuthorizationInterceptor actually does ? > > We really need source of that interceptor, ideally attached as a patch to JIRA > thanks, Sergey > > On Tue, Jun 14, 2011 at 4:23 PM, Angelo zerr <[email protected]> wrote: >> Hi Sergey, >> >> I have attached a zip with my work. It's a WTP Eclipse project where you can >> find BasicAuthAuthorizationInterceptor in the >> org.apache.cxf.interceptor.security.basic package. >> There is a sample with Basic authentification authorization with NO roles : >> >> --------------------------------------------------------- >> <!-- WebServices with Basic Authentification Authorization --> >> <jaxws:endpoint xmlns:tns="http://server.sample/"; id="helloworld" >> implementor="sample.server.HelloWorld" >> wsdlLocation="wsdl/helloworld.wsdl" >> endpointName="tns:HelloWorldPort" >> serviceName="tns:HelloWorldService" >> address="/HelloWorldPort"> >> <jaxws:features> >> <bean class="org.apache.cxf.feature.LoggingFeature" /> >> </jaxws:features> >> <jaxws:inInterceptors> >> <ref bean="basicAuthAuthorization1" /> >> </jaxws:inInterceptors> >> </jaxws:endpoint> >> >> <bean id="basicAuthAuthorization1" >> >> class="org.apache.cxf.interceptor.security.basic.BasicAuthAuthorizationInterceptor"> >> <property name="realmName" value="MyRealm" /> >> <property name="authorizationContext"> >> <bean >> >> class="org.apache.cxf.interceptor.security.basic.SimpleBasicAuthAuthorizationContext"> >> <property name="usersMap"> >> <map> >> <entry key="ffang" value="pswd" /> >> </map> >> </property> >> </bean> >> </property> >> </bean> >> ---------------------------------------------------------- >> >> And sample with Basic authentification authorization with roles : >> >> ---------------------------------------------------------- >> >> <!-- WebServices with Basic Authentification Authorization + Roles --> >> <jaxws:endpoint xmlns:tns="http://server.sample/"; id="helloworld2" >> implementor="sample.server.HelloWorld" >> wsdlLocation="wsdl/helloworld.wsdl" >> endpointName="tns:HelloWorldPort" >> serviceName="tns:HelloWorldService" >> address="/HelloWorldPort2"> >> <jaxws:features> >> <bean class="org.apache.cxf.feature.LoggingFeature" /> >> </jaxws:features> >> <jaxws:inInterceptors> >> <ref bean="basicAuthAuthorization2" /> >> <ref bean="authorizationInterceptor" /> >> </jaxws:inInterceptors> >> </jaxws:endpoint> >> >> <bean id="basicAuthAuthorization2" >> >> class="org.apache.cxf.interceptor.security.basic.BasicAuthAuthorizationInterceptor"> >> <property name="realmName" value="MyRealm" /> >> <property name="authorizationContext"> >> <bean >> >> class="org.apache.cxf.interceptor.security.basic.SimpleBasicAuthAuthorizationContext"> >> <property name="usersMap"> >> <map> >> <entry key="ffang" value="pswd" /> >> </map> >> </property> >> <property name="userRolesContext"> >> <bean >> >> class="org.apache.cxf.interceptor.security.basic.SimpleUserRolesContext"> >> <property name="userRolesMap"> >> <map> >> <entry key="ffang" value="ROLE1 ROLE2" /> >> </map> >> </property> >> </bean> >> </property> >> </bean> >> </property> >> </bean> >> >> <bean id="authorizationInterceptor" >> >> class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"> >> <property name="methodRolesMap"> >> <map> >> <entry key="hello" value="ROLE1" /> >> </map> >> </property> >> </bean> >> ---------------------------------------------------------- >> >> If you start your server at localhost 8080 you can launch teh client : >> >> * HelloWorld_PortTypeClient which call the first service (with no roles). >> * HelloWorld_PortTypeClient2 which call the second service (with roles). >> >> Everything works with interface and I have implemented with Simple* class >> which works with Map but you can implements with another mean if you wish. >> >> Hope you will like it. >> >> Regards Angelo >> 2011/6/14 Sergey Beryozkin <[email protected]> >>> >>> > >>> > No problem:) Ok I have implemented this feature. Now I tell me if >>> > SecurityContext should be implemented (if Principal is null) for Basic >>> > Interceptor like JAASLoginInterceptor which put a SecurityContext. The >>> > only >>> > question is how set roles? But if we do that we could use >>> > afterSimpleAuthorizingInterceptor >>> >>> You can use org.apache.cxf.common.security.SimplePrincipal just to >>> wrap up a principal name. >>> DefaultSecurityContext (roles represented as Groups, >>> org.apache.cxf.common.security.SimpleGroup helper is there) and >>> RolePrefixSecurityContextImls (role names start with some prefix like >>> ROLE_) can be used to provide a SecurityContext on a current message. >>> They all expect a Subject instance which you can easily create with >>> the help of SimplePrincipal (and SimpleGroup if needed) >>> >>> Cheers, Sergey >>> >>> >>> > >>> > Regards Angelo >>> > >>> > >>> >> On Tue, Jun 14, 2011 at 10:54 AM, Angelo zerr <[email protected]> >>> >> wrote: >>> >> > Ok I believe understand your idea about realm. I have added a setter >>> >> > in >>> >> my >>> >> > Interceptor : >>> >> > >>> >> > AbstractBasicAuthAuthorizationInterceptor#setRealName(String >>> >> > realName) >>> >> which >>> >> > compute WWW-Authenticate. >>> >> > Ex : AbstractBasicAuthAuthorizationInterceptor#setRealName("MyRealm") >>> >> will >>> >> > returns >>> >> > >>> >> > WWW-Authenticate: Basic realm="MyRealm" >>> >> > >>> >> > If no realm defined, WWW-Authenticate is not returned. Is that your >>> >> idea? >>> >> > WWW-Authenticate is not required? Do you think we should set a >>> >> > default >>> >> value >>> >> > for Realm? >>> >> > >>> >> > Regards Angelo >>> >> > >>> >> > 2011/6/14 Angelo zerr <[email protected]> >>> >> > >>> >> >> Hi Sergey, >>> >> >> >>> >> >> 2011/6/14 Sergey Beryozkin <[email protected]> >>> >> >> >>> >> >>> Hi >>> >> >>> >>> >> >>> That interceptor should be more neutral, should' not extend a SOAP >>> >> >>> interceptor. >>> >> >>> >>> >> >> >>> >> >> Ok, I have done like JAASLoginInterceptor (extends >>> >> >> AbstractPhaseInterceptor<Message> + constructor initialized with >>> >> >> super(Phase.UNMARSHAL);) and it works. >>> >> >> >>> >> >> >>> >> >>> The other thing you may want to do is to configure it with a realm >>> >> >>> name and if it's not set then >>> >> >>> do not add a realm parameter to the response. >>> >> >>> >>> >> >> >>> >> >> Could you explain me more your idea please. >>> >> >> >>> >> >> >>> >> >>> >>> >> >>> FYI, CXF ships JAASLoginInterceptor - which will check if Basic (or >>> >> >>> other similar HTTP Authorization type was set) >>> >> >>> and then will delegate to JAAS to do the actual authentication: >>> >> >>> http://cxf.apache.org/docs/security.html#Security-Authentication >>> >> >>> >>> >> >>> I propose that you create a patch in rt/core, >>> >> >>> org.apache.cxf.interceptor.security package, that will make it >>> >> >>> easier >>> >> >>> for me to move the relevant code to a rt/security module >>> >> >>> >>> >> >> >>> >> >> My first idea is to create a WTP sample application with my code (I >>> >> >> have >>> >> >> created org.apache.cxf.interceptor.security.basic package) and send >>> >> >> you >>> >> with >>> >> >> sample which work. >>> >> >> After I could create a patch if you need. >>> >> >> >>> >> >> Regards Angelo >>> >> >> >>> >> >>> >>> >> >>> Thanks, Sergey >>> >> >>> >>> >> >>> On Tue, Jun 14, 2011 at 7:38 AM, Angelo zerr >>> >> >>> <[email protected]> >>> >> >>> wrote: >>> >> >>> > Hi Freeman, >>> >> >>> > >>> >> >>> > Thank a lot for your answer. I will prepare you a contribution >>> >> >>> > and >>> >> send >>> >> >>> you. >>> >> >>> > >>> >> >>> > Regards Angelo >>> >> >>> > >>> >> >>> > 2011/6/14 Freeman Fang <[email protected]> >>> >> >>> > >>> >> >>> >> Hi, >>> >> >>> >> >>> >> >>> >> Sure, any contribution is welcome. >>> >> >>> >> >>> >> >>> >> And in CXF we also can use jetty security handler to enable >>> >> >>> >> basic >>> >> auth >>> >> >>> >> which can configure the realm easily, we have a system testcase >>> >> >>> >> for >>> >> >>> it[1], >>> >> >>> >> you may wanna take a look. >>> >> >>> >> >>> >> >>> >> [1] >>> >> >>> >> >>> >> >>> >>> >> >>> >> https://svn.apache.org/repos/asf/cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/JettyBasicAuthTest.java >>> >> >>> >> Freeman >>> >> >>> >> >>> >> >>> >> On 2011-6-13, at 下午11:34, Angelo zerr wrote: >>> >> >>> >> >>> >> >>> >> Hi CXF Team, >>> >> >>> >>> >>> >> >>> >>> I would like to manage WebService with HTTP Basic CXF >>> >> >>> >>> Interceptor >>> >> and >>> >> >>> I >>> >> >>> >>> have >>> >> >>> >>> not found this interceptor in the CXF. So I have used the great >>> >> code >>> >> >>> from >>> >> >>> >>> >>> >> >>> >>> >>> >> >>> >>> >> >>> >> http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/and >>> >> >>> >>> it works great. >>> >> >>> >>> I have noticed that some projects like >>> >> >>> >>> >>> >> >>> >>> >>> >> >>> >>> >> >>> >> http://code.google.com/p/fenius/source/browse/trunk/fenius-util/src/main/java/is/glif/fenius/util/BasicAuthAuthorizationInterceptor.java?r=111have >>> >> >>> >>> used this code and I tell me why CXF doesn't include the >>> >> >>> >>> BasicAuthAuthorizationInterceptor class? >>> >> >>> >>> >>> >> >>> >>> I have modified BasicAuthAuthorizationInterceptor to delegate >>> >> >>> >>> user/password >>> >> >>> >>> to another interface implementation and if you wish I could >>> >> >>> >>> send >>> >> you >>> >> >>> my >>> >> >>> >>> work >>> >> >>> >>> and tell to the author of the BasicAuthAuthorizationInterceptor >>> >> >>> >>> if >>> >> he >>> >> >>> is >>> >> >>> >>> OK >>> >> >>> >>> to contribute to CXF. >>> >> >>> >>> >>> >> >>> >>> Thank a lot for your answer. >>> >> >>> >>> >>> >> >>> >>> Regards Angelo >>> >> >>> >>> >>> >> >>> >> >>> >> >>> >> --------------------------------------------- >>> >> >>> >> Freeman Fang >>> >> >>> >> >>> >> >>> >> FuseSource >>> >> >>> >> Email:[email protected] >>> >> >>> >> Web: fusesource.com >>> >> >>> >> Twitter: freemanfang >>> >> >>> >> Blog: http://freemanfang.blogspot.com >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> > >>> >> >>> >>> >> >> >>> >> >> >>> >> > >>> >> >>> >> >>> >> >>> >> -- >>> >> Sergey Beryozkin >>> >> >>> >> Application Integration Division of Talend >>> >> http://sberyozkin.blogspot.com >>> >> >>> > >> >> > > > > -- > Sergey Beryozkin > > Application Integration Division of Talend > http://sberyozkin.blogspot.com >
