Hi,
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: Donnerstag, 9. Januar 2014 14:48
> To: Andrei Shakirin
> Subject: CXF - JAAS
>
> Hi Andrei,
>
> Thank you very much for your answer to my post on CXF mail list.
>
> I've read all related documentation and i think i understand the general
> ideas.
>
> At this point my problem is lack of knowledge in CXF but also in JAAS so i
> feel i
> need additional suggestions in how to finish the link between those two.
>
> I mean ... cxf JAASLoginInterceptor will expect UsernameToken or
> AuthorizationPolicy in the message and
Yes, basically HTTP basic authentication credentials will be available via
AuthorizationPolicy.class (stored into message on transport level).
UsernameToken is SOAP specific and I guess no interesting for your JAXRS case.
> LoginContext/NamePasswordCallbackHandler would require some resource
> to check the credentials with.
NamePasswordCallbackHandler implements standard JAAS CallbackHandler interface
and initializes JAAS password and name callbacks with received user/password.
After that code:
LoginContext ctx = new LoginContext(getContextName(), null,
handler, loginConfig);
ctx.login();
invokes configured JAAS login modules for specified context. Login modules can
validate username/password using LDAP, Kerberos, SQL DB, etc.
See JAAS links for details how to configure JAAS and implement login modules:
http://www.javaranch.com/journal/2008/04/authentication-using-JAAS.html .
This approach is very useful in case if your container already supports JAAS
and has own login modules (Karaf, JEE application server, Spring), but you can
implement that also in plain java application.
>
> I have not a clear idea about how to setup those elements.
>
Using JAAS is standard approach, but perhaps in your use case it is enough just
to validate username/password and roles using SimpleAuthorizingFilter.
See
https://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java
and system test
https://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java
for details.
You could also implement own ContainerRequestFilter (JAXRS 2.0, CXF 3.0.0) or
RequestHandler (JAXRS 1.1 CXF 2.7.X) and validate credentials there - decision
depends on your use case.
> Again thank you for your help.
You welcome.
>
> Best regards,
>
> Rafael B.C.
>
Regards,
Andrei.
>
> _____________________________________
> Sent from http://cxf.547215.n5.nabble.com
