On Mon, Aug 13, 2018 at 1:26 PM, Burkard Stephan <[email protected]> wrote:
> > Sounds great. But where do I get the "securityContext" from in my > validator? > You don't. You just set the principal on the Credential Object that the Validator returns, and CXF takes care of populating the SecurityContext for you. > > And who has it created? Another interceptor that is called earlier? > It's created by the WSS4JInInterceptor after processing the security requirements: https://github.com/apache/cxf/blob/c7eee85aaebdfaae988adfcf8cc43206e568fda8/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java#L558 https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java Colm. > > Thanks > Stephan > > > -----Ursprüngliche Nachricht----- > Von: Colm O hEigeartaigh <[email protected]> > Gesendet: Montag, 13. August 2018 13:07 > An: [email protected] > Betreff: Re: How to get username of authenticated user to create a token > for a downstream call > > An alternative could be to set the principal on the returned Credential > object in your validator, for example: > > credential.setPrincipal(securityContext.getAuthentication(). > getPrincipal()); > > CXF will use this to set up a SecurityContext object which returns this > principal via "securityContext.getUserPrincipal()". This is stored in the > current message via the key "SecurityContext.class" so you could retrieve > this object in your interceptor and extract the principal from it. > > Colm. > > On Tue, Aug 7, 2018 at 4:14 PM, Burkard Stephan <[email protected] > > > wrote: > > > Yes, you understood it correct. > > > > Thanks a lot, I was able to find a solution with the help of your code > > snippets. > > > > Interesting enough: since I use Apache Camel I can simply set an > > ExchangeProperty on the Camel Exchange and Camel automatically copies > > it on the CXF RequestContext. Very convenient! > > > > In my TokenInterceptor I can read the property in the addToken method > > and use it to create the token. > > > > Thanks a lot > > Stephan > > > > > > -----Ursprüngliche Nachricht----- > > Von: Andrei Shakirin <[email protected]> > > Gesendet: Montag, 6. August 2018 22:45 > > An: [email protected] > > Betreff: RE: How to get username of authenticated user to create a > > token for a downstream call > > > > Hi, > > > > Not 100% sure that I understood your use case correctly. > > If you have authenticated user in your service implementation from > > SecurityContext, you can simply set property in client call context > > and read this property in your client Token interceptor: > > > > > > ((BindingProvider)proxy).getRequestContext().put("thread.local.request > > .context", "true"); myUser = > > securityContext.getAuthentication().getPrincipal(); > > ((BindingProvider)proxy).getRequestContext().put("authenticatedUser", > > myUser); > > > > > > ... > > public class TokenInterceptor extends > > AbstractPhaseInterceptor<Message> { > > > > > > public void handleMessage(Message message) { > > String username = message.getContextualProperty( > > "authenticatedUser"); > > ... > > } > > > > Regards, > > Andrei. > > > > > -----Original Message----- > > > From: Burkard Stephan [mailto:[email protected]] > > > Sent: Freitag, 3. August 2018 15:13 > > > To: [email protected] > > > Subject: How to get username of authenticated user to create a token > > > for a downstream call > > > > > > Hi > > > > > > I try to accomplish something I thought is quite a standard use case. > > > I was probably wrong since I did not found a complete example for it. > > > > > > Goal: Build a secured CXF/SpringBoot webservice that calls other > > > secured webservice(s). > > > Setup: SpringBoot (1.5.x), CXF (3.1.x), WSS4J (2.1.x), Spring > > > Security > > > (4.2.x) > > > > > > **What I want to accomplish** > > > > > > - My CXF/SpringBoot webservice must authenticate requests against LDAP. > > > => I have a working Spring Security setup with > > > AuthenticationManager, UserDetailsService etc. > > > => This setup depends on the Spring SecurityContext. > > > > > > - My CXF/SpringBoot webservice must accept WSS Username/Password > > > (Plaintext). > > > => I use a combination of SAAJInInterceptor and WSS4JInInterceptor > > > (no password callback!) to create a UsernameToken from the WSS header. > > > => I use a custom "ws-security.ut.validator" to create a Spring > > > SecurityContext from the UsernameToken and authenticate the user > > > against > > LDAP. > > > > > > - My CXF/SpringBoot webservice must call a downstream webservice > > > that accepts a proprietary token type. > > > => This requires another CXF (client) endpoint configuration. > > > => I use a custom out-interceptor that extends > > > AbstractTokenInterceptor to add the proprietary token to the request. > > > => However, currently the username is hardcoded because I don't > > > know where to get it. > > > > > > Question: In my Spring SecurityContext I have the authenticated user. > > > But how can I "hand over" the username to the TokenInterceptor? > > > > > > Question: Let's assume I do two downstream calls to finally create > > > the response for the initial service request. Are these calls > > > individual "contexts" from a CXF point of view or is there some kind > > > of "management" around that holds all data of all the calls? > > > > > > Thanks > > > Stephan > > > > As a recipient of an email from Talend, your contact personal data > > will be on our systems. Please see our contacts privacy notice at > > Talend, Inc. < https://www.talend.com/contacts-privacy-policy/> > > > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
