RE: JAX-RS Security - Authentication

Sat, 10 May 2014 22:02:25 -0700 

Hi Paul,

As I written in previous mail, you can use AuthorizationPolicy to extract basic 
credentials in case of HTTP basic authentication:
        Message message = JAXRSUtils.getCurrentMessage();
        AuthorizationPolicy policy = 
(AuthorizationPolicy)message.get(AuthorizationPolicy.class);
        String username = policy.getUserName();
        String password = policy.getPassword();

If you authenticate user yourself in RequestHandler, I would recommend to 
initialize org.apache.cxf.security.SecurityContext with Principals representing 
the user and its roles (if available).
Then, these Principles will be available in rest of application independent on 
Authentication schema.
You can see how to it in JAASLoginInterceptor.createSecurityContext()

Regards,
Andrei.

From: Paul Avijit [mailto:[email protected]] 
Sent: Mittwoch, 7. Mai 2014 22:39
To: [email protected]; Andrei Shakirin
Subject: Re: JAX-RS Security - Authentication

Thanks Andrie.

I have authenticated & authorized the user using a RequestHandler and 
@RolesAllowed.

In implementation class of REST service securityContext.getUserPrincipal();is 
NULL. So I had to do the following. Is this the best approach. Please let me 
know.

        @Resource
        MessageContext messageContext;

        @Override
        protected void getUsername()
        {
                for (String authHeader : 
messageContext.getHttpHeaders().getRequestHeader("Authorization"))
        
        {
                        if (authHeader.startsWith("Basic"))
                        {
                                try
                                {
                                        String auth =
                                                        new 
String(Base64Utility.decode(authHeader.substring(authHeader.indexOf("Basic ")
                                                                        + 
"Basic ".length())));
                                        LOG.debug("UserName: [" + 
auth.substring(0, auth.indexOf(58)) + "]");
                                }
                                catch (Base64Exception e)
                                {
                                        LOG.error(e);
                                }
                        }
                }
        }

Regards
Paul
On Wednesday, May 7, 2014 4:08 PM, Andrei Shakirin <[email protected]> wrote:
Hi Paul,

a) If user is not authenticated, the getting username and password depending on 
authentication schema. For example for HTTP basic, CXF packs authentication 
information into AuthorizationPolicy:
        AuthorizationPolicy policy = 
(AuthorizationPolicy)message.get(AuthorizationPolicy.class);
        String username = policy.getUserName();
        String password = policy.getPassword();

b) If user already authenticated, for example with JAAS, you can get user name 
from SecurityContext principle:
@Context
SecurityContext securityContext;
...
securityContext.getUserPrincipal();

or in filter:
requestContext.getSecurityContext().getUserPrincipal();

Regards,
Andrei.

From: Paul Avijit [mailto:[email protected]] 
Sent: Mittwoch, 7. Mai 2014 00:11
To: [email protected]; Andrei Shakirin
Subject: Re: JAX-RS Security - Authentication

Thanks Andrei.

I have used ContainerRequestFilter and could make it work successfully.

How can I get the username in my service implementation class.

Regards
Paul
On Tuesday, May 6, 2014 6:14 AM, Andrei Shakirin <[email protected]> wrote:
Hi,

I assume you mean JAASAuthenticationFilter. 
This filter use JAAS to authenticate users: 
http://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service 

You should set up  JAAS configuration for your application server, looks like 
for example so for LDAP:
jaas.config:
ldap { 
    com.sun.security.auth.module.LDAPLoginModule required
    initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
    connection.username = cn=Directory Manager
    connection.password = myPassword
    connection.url = ldap://localhost:389
    user.base.dn = ou=employees,dc=example,dc=com
    user.filter = (uid=%u)
    user.search.subtree = true
    role.base.dn = ou=roles,dc=example,dc=com
    role.filter = (member:=uid=%u)
    role.name.attribute = cn
    role.search.subtree = true
    authentication = simple
};

Refer your Application Server documentation to see where jaas configuration 
should be located and which login modules are available.

Alternative you can use non-jaas RequestHandler (ContainerRequestFilter for 
jax-rs 2.0) and authenticate user using other mechanism.

Regards,
Andrei.

> -----Original Message-----
> From: Paul Avijit [mailto:[email protected]]
> Sent: Dienstag, 6. Mai 2014 00:32
> To: [email protected]
> Subject: JAX-RS Security - Authentication
> 
> Hi,
> 
> I have a REST Service which I want to secure by authenticating the user. I 
> have
> referred the following CXF user guide link:
> http://cxf.apache.org/docs/secure-jax-rs-services.html#SecureJAX-RSServices-
> Authentication
> 
> In the above link, it describes how to configure authentication filter using 
> jaxrs
> provider in spring context file.
> 
> The authentication filter has a property, contextName and is configured to use
> the login context "BookLogin".
> 
> How do I develop and configure this login context in an application server.
> Please help.
> 
> Thanks in advance.
> 
> Regards
> Paul

Reply via email to