On 03/02/12 11:19, Taariq Levack wrote:
Thanks to you both, I'm happily securing my services using Spring.
Just like Camel, CXF is much easier than it looks.
I've no karma to fix that typo so please make a note to fix that sometime
if you haven't already.
I did, it will take a bit of time to sync
Cheers, Sergey
Thanks again.
Taariq
On Fri, Feb 3, 2012 at 11:21 AM, Sergey Beryozkin<[email protected]>wrote:
Hi
On 03/02/12 05:45, Taariq Levack wrote:
Hi
I have an existing web app using Spring Security and LDAP for
authentication and authorization.
Now we want some web services to be secured using UsernameToken and SSL.
I also want it to reuse the existing spring method level security, this
user's role cannot use commit() for instance, this seems easy enough with
the SecureAnnotationsInterceptor.
I've also noticed in the new CXF that the password must be supplied to be
evaluated, rather than it being provided
for authentication.
Now I can look up the password in LDAP, but aside from it not being
plaintext like the web service user,
it doesn't perform a login on LDAP of course and we'd like that history of
logins and everything else LDAP provides.
There's a project called
cxf-spring-security<http://**code.google.com/p/cxf-spring-**security/<http://code.google.com/p/cxf-spring-security/>
which
hasn't been touched for a long time, I don't know if it's been
integrated
into CXF yet or will be.
The CXF security docs[1] say you can use a custom
"**AbstractUsernameTokenIntercept**or" and postpost the validation of the
username token with "ws-security.ut.no-callbacks" and then do the custom
authentication and Subject creation, but this class no longer exists, at
least not in trunk nor the 2.4.4 release I'm using at the moment. I do
have
wss4j in the pom too.
It does, I just mistyped the name of it, it's
AbstractUsernameTokenInInterce**ptor, it's in rt/core
Cheers, Sergey
I also see the JAASLoginInterceptor in the docs but I'm using the
LdapAuthenticationProvider and not a JAAS provider so I don't think that's
relevant yet, but correct me if I'm wrong please.
So to sum up I can use the callback no problem, but I don't see how I'm
supposed to perform login yet.
And once authenticated, I need the security context populated so that
Spring can do method level security, but maybe here I'm misunderstanding
and CXF is going to do this using SimpleAuthorizingInterceptor, which is
populated instead from whatever SpringSecurity returns after
authentication.
[1]
http://cxf.apache.org/docs/**security.html<http://cxf.apache.org/docs/security.html>
Thanks in advance,
Taariq
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
