Thanks Andrie.
I have authenticated & authorized the user using a RequestHandler and
@RolesAllowed.
In implementation class of REST service securityContext.getUserPrincipal();is
NULL. So I had to do the following. Is this the best approach. Please let me
know.
@Resource
MessageContext messageContext;
@Override
protected void getUsername()
{
for (String authHeader :
messageContext.getHttpHeaders().getRequestHeader("Authorization"))
{
if (authHeader.startsWith("Basic"))
{
try
{
String auth =
new String(Base64Utility.decode(authHeader.substring(authHeader.indexOf("Basic
")
+ "Basic ".length())));
LOG.debug("UserName: [" + auth.substring(0, auth.indexOf(58)) + "]");
}
catch (Base64Exception e)
{
LOG.error(e);
}
}
}
}
Regards
Paul
On Wednesday, May 7, 2014 4:08 PM, Andrei Shakirin <[email protected]> wrote:
Hi Paul,
a) If user is not authenticated, the getting username and password depending on
authentication schema. For example for HTTP basic, CXF packs authentication
information into AuthorizationPolicy:
AuthorizationPolicy policy =
(AuthorizationPolicy)message.get(AuthorizationPolicy.class);
String username = policy.getUserName();
String password = policy.getPassword();
b) If user already authenticated, for example with JAAS, you can get user name
from SecurityContext principle:
@Context
SecurityContext securityContext;
...
securityContext.getUserPrincipal();
or in filter:
requestContext.getSecurityContext().getUserPrincipal();
Regards,
Andrei.
From: Paul Avijit [mailto:[email protected]]
Sent: Mittwoch, 7. Mai 2014 00:11
To: [email protected]; Andrei Shakirin
Subject: Re: JAX-RS Security - Authentication
Thanks Andrei.
I have used ContainerRequestFilter and could make it work successfully.
How can I get the username in my service implementation class.
Regards
Paul
On Tuesday, May 6, 2014 6:14 AM, Andrei Shakirin <[email protected]> wrote:
Hi,
I assume you mean JAASAuthenticationFilter.
This filter use JAAS to authenticate users:
http://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service
You should set up JAAS configuration for your application server, looks like
for example so for LDAP:
jaas.config:
ldap {
com.sun.security.auth.module.LDAPLoginModule required
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connection.username = cn=Directory Manager
connection.password = myPassword
connection.url = ldap://localhost:389
user.base.dn = ou=employees,dc=example,dc=com
user.filter = (uid=%u)
user.search.subtree = true
role.base.dn = ou=roles,dc=example,dc=com
role.filter = (member:=uid=%u)
role.name.attribute = cn
role.search.subtree = true
authentication = simple
};
Refer your Application Server documentation to see where jaas configuration
should be located and which login modules are available.
Alternative you can use non-jaas RequestHandler (ContainerRequestFilter for
jax-rs 2.0) and authenticate user using other mechanism.
Regards,
Andrei.
> -----Original Message-----
> From: Paul Avijit [mailto:[email protected]]
> Sent: Dienstag, 6. Mai 2014 00:32
> To: [email protected]
> Subject: JAX-RS Security - Authentication
>
> Hi,
>
> I have a REST Service which I want to secure by authenticating the user. I
> have
> referred the following CXF user guide link:
> http://cxf.apache.org/docs/secure-jax-rs-services.html#SecureJAX-RSServices-
> Authentication
>
> In the above link, it describes how to configure authentication filter using
> jaxrs
> provider in spring context file.
>
> The authentication filter has a property, contextName and is configured to use
> the login context "BookLogin".
>
> How do I develop and configure this login context in an application server.
> Please help.
>
> Thanks in advance.
>
> Regards
> Paul
