Thanks Sounds good Do you have any example to "retrieve username/password from Http Basic auth and create SecurityContext accordingly and delegate to your container jaas(tomcat, karaf, etc)" ?
I've seen this link http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/ But this example looks to making authentication by hand , no JAAS module. You say that .JAASLoginInterceptor can retrieve user/password but I don't know neither how 'create SecurityContext' nor how 'delegate to your container jaas' And I don't know how I can implement another interceptor (if it's the same than authenticate would be easy but I'd like to make 2 different ) to extract Principal info for loading config files by user If you know about some example about these issues, I would apreciate it Thanks and best regards 2013/2/25 Freeman Fang <[email protected]>: > Hi, > > My comment inline > ------------- > Freeman(Yue) Fang > > Red Hat, Inc. > FuseSource is now part of Red Hat > Web: http://fusesource.com | http://www.redhat.com/ > Twitter: freemanfang > Blog: http://freemanfang.blogspot.com > http://blog.sina.com.cn/u/1473905042 > weibo: @Freeman小屋 > > On 2013-2-25, at 下午5:01, Jose María Zaragoza wrote: > >> Hi: >> >> I'm newbie by using CXF framework and I'd like to take the best choice >> about security matters ( authorization/authentication ) >> Maybe more expert users can help me. >> >> >> I need to develop JAX-WS (SOAP/HTTP) and JAX-RS (XML/JSON/HTTP) >> services and I need to get the client ID who is calling that web >> service for loading custom config files by client profile/role . >> Sometimes, it will be the same implementation but different prococol >> binding ( I think CXF framework allows this feature ) >> >> >> 1) >> >> I would like to use a standard authetication/authorization model. >> I've seen WS-Security but I think that it only works with SOAP >> messages, am I wrong ? could it be used with REST client/services? > Yes, the UsernameToken ws-security stuff is based on SOAP message so it won't > work with REST typically. >> >> >> 2) >> >> Other choice is use HTTP Authentication , For example, I could use >> Realm mechanism implemented by Tomcat to authenticate users >> That is supported by SOAP/HTTP and REST/JSON//HTTP clients >> >> Could I retrieve client ID ( Principal ) from WebserviceContext with >> HTTP Authentication ? >> Do i need to get HTTPRequest to get client ID ? > Yeah, you can use HTTP basic auth both for SOAP and REST service > You can simply use org.apache.cxf.interceptor.security.JAASLoginInterceptor, > which can retrieve username/password from Http Basic auth and create > SecurityContext accordingly and delegate to your container jaas(tomcat, > karaf, etc) >> >> >> 3) >> >> As I told you, I want to load custom config files by client >> profile/role calling a service >> Could I to implement this by a interceptor and this interceptor >> updates 'service call' with custom values ? >> What is the best way to face this issue ? >> > yeah, an interceptor usually is the way to go >> I want to perform something like Filters (Servlet) and update requests >> context with custom info by client/user/role >> >> >> Thanks >> Best regards >
