Hi, Just take a look at JAASLoginInterceptor[1], the handleMessage method have all necessary code you need.
[1]https://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/JAASLoginInterceptor.java ------------- Freeman(Yue) Fang Red Hat, Inc. FuseSource is now part of Red Hat Web: http://fusesource.com | http://www.redhat.com/ Twitter: freemanfang Blog: http://freemanfang.blogspot.com http://blog.sina.com.cn/u/1473905042 weibo: @Freeman小屋 On 2013-2-25, at 下午7:42, Jose María Zaragoza wrote: > Thanks > Sounds good > > Do you have any example to "retrieve username/password from Http Basic > auth and create SecurityContext accordingly and delegate to your > container jaas(tomcat, karaf, etc)" ? > > I've seen this link > > http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/ > But this example looks to making authentication by hand , no JAAS module. > > You say that .JAASLoginInterceptor can retrieve user/password but I > don't know neither how 'create SecurityContext' nor how 'delegate to > your container jaas' > > And I don't know how I can implement another interceptor (if it's the > same than authenticate would be easy but I'd like to make 2 different > ) to extract Principal info for loading config files by user > > If you know about some example about these issues, I would apreciate it > > Thanks and best regards > > > > > 2013/2/25 Freeman Fang <[email protected]>: >> Hi, >> >> My comment inline >> ------------- >> Freeman(Yue) Fang >> >> Red Hat, Inc. >> FuseSource is now part of Red Hat >> Web: http://fusesource.com | http://www.redhat.com/ >> Twitter: freemanfang >> Blog: http://freemanfang.blogspot.com >> http://blog.sina.com.cn/u/1473905042 >> weibo: @Freeman小屋 >> >> On 2013-2-25, at 下午5:01, Jose María Zaragoza wrote: >> >>> Hi: >>> >>> I'm newbie by using CXF framework and I'd like to take the best choice >>> about security matters ( authorization/authentication ) >>> Maybe more expert users can help me. >>> >>> >>> I need to develop JAX-WS (SOAP/HTTP) and JAX-RS (XML/JSON/HTTP) >>> services and I need to get the client ID who is calling that web >>> service for loading custom config files by client profile/role . >>> Sometimes, it will be the same implementation but different prococol >>> binding ( I think CXF framework allows this feature ) >>> >>> >>> 1) >>> >>> I would like to use a standard authetication/authorization model. >>> I've seen WS-Security but I think that it only works with SOAP >>> messages, am I wrong ? could it be used with REST client/services? >> Yes, the UsernameToken ws-security stuff is based on SOAP message so it >> won't work with REST typically. >>> >>> >>> 2) >>> >>> Other choice is use HTTP Authentication , For example, I could use >>> Realm mechanism implemented by Tomcat to authenticate users >>> That is supported by SOAP/HTTP and REST/JSON//HTTP clients >>> >>> Could I retrieve client ID ( Principal ) from WebserviceContext with >>> HTTP Authentication ? >>> Do i need to get HTTPRequest to get client ID ? >> Yeah, you can use HTTP basic auth both for SOAP and REST service >> You can simply use org.apache.cxf.interceptor.security.JAASLoginInterceptor, >> which can retrieve username/password from Http Basic auth and create >> SecurityContext accordingly and delegate to your container jaas(tomcat, >> karaf, etc) >>> >>> >>> 3) >>> >>> As I told you, I want to load custom config files by client >>> profile/role calling a service >>> Could I to implement this by a interceptor and this interceptor >>> updates 'service call' with custom values ? >>> What is the best way to face this issue ? >>> >> yeah, an interceptor usually is the way to go >>> I want to perform something like Filters (Servlet) and update requests >>> context with custom info by client/user/role >>> >>> >>> Thanks >>> Best regards >>
