Hi
On 11/07/13 10:59, Ja kub wrote:
Hi Sergey,
Thx for response.
Sorry I haven't written before, but I run cxf on tomcat, as servlet, this
changes situation:
<servlet>
<servlet-name>cxf</servlet-name>
<display-name>cxf</display-name>
<description>Apache CXF Endpoint</description>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<async-supported>true</async-supported>
</servlet>
so above config will probably not work (it's for jetty).
First I thought I can somehow do this authorization with spring-security,
and display soap fault on auth error.
To be able to do it in interceptor I can not use spring-security for
authorization. Possibly in such case, when I do authorization manually, it
will be enough to throw RuntimeException from authorization method, and cxf
will generate usual soap fault (I guess it will).
This will go with http 200 status, I guess. Maybe it will be sufficient.
Your solution would be nicer, because it could go with 403 http status.
I wonder if we should work on creating a CXF level interceptor, similar
to JAASLoginInterceptor (works with Basic Auth, etc), to get client
certs utilized for creating security context and using it with CXF
SimpleAuthorizingInterceptor
In meantime - please experiment with intercepting somehow Spring Sec
reporting 403,
Sergey
Thx again for response.
BR,
Jakub
On Thu, Jul 11, 2013 at 11:37 AM, Sergey Beryozkin <sberyoz...@gmail.com>wrote:
Hi
On 10/07/13 23:00, Ja kub wrote:
Hallo
Do you know if there is any out of the box solution to send soap fault
when
authentication to web service fails (auth is with client cert over ssl)?
Now I get regular html page, but I would prefer to get soap fault.
I think you can register a Fault out interceptor in
jaxws:outFaultInterceptors, this interceptor will write a soap fault
directly:
public class CustomOutFaultInterceptor extends
AbstractPhaseInterceptor<**Message>
{
public CustomOutFaultInterceptor() {
this(Phase.PRE_STREAM);
}
public void handleMessage(Message message) throws Fault {
Exception ex = message.getContent(Exception.**class);
// check the exception
HttpServletResponse response = (HttpServletResponse)message.**
getExchange()
.getInMessage().get(**AbstractHTTPDestination.HTTP_**
RESPONSE);
// write to response directly
}
}
CXF may have utilities for generating SoapFaults, I guess it is a simple
DOM in case of 403
Is there any integration of cxf with spring security ?
Does cxf standalone provide client cert authentication ?
Have look at this configuration example (I copied it from one of
ws-security tests):
http://svn.apache.org/repos/**asf/cxf/trunk/systests/rs-**
security/src/test/java/org/**apache/cxf/systest/jaxrs/**
security/xml/server.xml<http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml>
Note, the client certs then will also be available as Message properties,
here is how you can get to them:
private Certificate[] getTLSCertificates(Message message) {
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.**class);
return tlsInfo != null ? tlsInfo.getPeerCertificates() : null;
}
I can give up spring security and validate manually, and throw exception,
but probably this is not an elegant solution.
HTH, Sergey
Regards
Jakub
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
