Hi Colm! Thanks for taking time to answer my question. This was exactly I was looking for (and I didn't know).
Best, Christian ----------------- Software Integration Specialist Apache Camel committer: https://camel.apache.org/team V.P. Apache Camel: https://www.apache.org/foundation/ Apache Member: https://www.apache.org/foundation/members.html https://www.linkedin.com/pub/christian-mueller/11/551/642 On Fri, Sep 13, 2013 at 11:19 AM, Colm O hEigeartaigh <[email protected]>wrote: > Hi Christian, > > I would recommend writing your own Validator (or extending the existing one > in WSS4J) for UsernameTokens. WSS4J sends tokens to a Validator instance > for validation: > > > http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/Validator.java?view=markup > > Here is the default UsernameTokenValidator: > > > http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java?view=markup > > So I would recommend adding in some functionality to a subclass of the > UsernameTokenValidator to perform your requirements. You can configure your > Validator in CXF via the "ws-security.ut.validator" tag: > > http://cxf.apache.org/docs/ws-securitypolicy.html > > Colm. > > > On Fri, Sep 13, 2013 at 12:03 AM, Christian Müller < > [email protected]> wrote: > > > We are using the Apache Camel CXF component (Camel 2.10.x and CXF 2.6.x) > to > > expose web services to our customers. We are securing these services by > > using HTTPS and WS-Security (user name and password token). Everything > > works good so far. > > > > After an external audit, we got the new requirement to monitor the > > authentication failed attempts per user and block the user, if the > > authentication failed counter reached a (configurable) limit. > > > > 1) Do we have such a functionality in a "special" WSS4JInInterceptor? > > 2) If not, which solution would you recommend? > > a) Extending the WSS4JInInterceptor - isn't as easy as it may should > to > > fulfill my needs. > > b) Writing our own interceptors. An in-interceptor to check whether > > user is already blocked and to store the user name in a thread local. An > > out-interceptor to increase the failed counter (if the authentication > > failed) our to reset the failed counter (if the authentication was > > successful). > > c) Somehow different? > > > > [1] http://cxf.apache.org/docs/ws-security.html > > > > Thanks in advance, > > Christian > > ----------------- > > > > Software Integration Specialist > > > > Apache Camel committer: https://camel.apache.org/team > > V.P. Apache Camel: https://www.apache.org/foundation/ > > Apache Member: https://www.apache.org/foundation/members.html > > > > https://www.linkedin.com/pub/christian-mueller/11/551/642 > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
