On Mon, Aug 13, 2018 at 3:44 PM, Colm O hEigeartaigh <[email protected]> wrote:
> > You don't. You just set the principal on the Credential Object that the > Validator returns, and CXF takes care of populating the SecurityContext for > you. > Ah you mean in this line? credential.setPrincipal(securityContext.getAuthentication().getPrincipal()); That's the Spring SecurityContext not the CXF one. Colm. > >> >> And who has it created? Another interceptor that is called earlier? >> > > It's created by the WSS4JInInterceptor after processing the security > requirements: > > https://github.com/apache/cxf/blob/c7eee85aaebdfaae988adfcf8cc432 > 06e568fda8/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ > WSS4JInInterceptor.java#L558 > https://github.com/apache/cxf/blob/master/rt/ws/security/ > src/main/java/org/apache/cxf/ws/security/wss4j/ > DefaultWSS4JSecurityContextCreator.java > > Colm. > > >> >> Thanks >> Stephan >> >> >> -----Ursprüngliche Nachricht----- >> Von: Colm O hEigeartaigh <[email protected]> >> Gesendet: Montag, 13. August 2018 13:07 >> An: [email protected] >> Betreff: Re: How to get username of authenticated user to create a token >> for a downstream call >> >> An alternative could be to set the principal on the returned Credential >> object in your validator, for example: >> >> credential.setPrincipal(securityContext.getAuthentication(). >> getPrincipal()); >> >> CXF will use this to set up a SecurityContext object which returns this >> principal via "securityContext.getUserPrincipal()". This is stored in >> the current message via the key "SecurityContext.class" so you could >> retrieve this object in your interceptor and extract the principal from it. >> >> Colm. >> >> On Tue, Aug 7, 2018 at 4:14 PM, Burkard Stephan < >> [email protected]> >> wrote: >> >> > Yes, you understood it correct. >> > >> > Thanks a lot, I was able to find a solution with the help of your code >> > snippets. >> > >> > Interesting enough: since I use Apache Camel I can simply set an >> > ExchangeProperty on the Camel Exchange and Camel automatically copies >> > it on the CXF RequestContext. Very convenient! >> > >> > In my TokenInterceptor I can read the property in the addToken method >> > and use it to create the token. >> > >> > Thanks a lot >> > Stephan >> > >> > >> > -----Ursprüngliche Nachricht----- >> > Von: Andrei Shakirin <[email protected]> >> > Gesendet: Montag, 6. August 2018 22:45 >> > An: [email protected] >> > Betreff: RE: How to get username of authenticated user to create a >> > token for a downstream call >> > >> > Hi, >> > >> > Not 100% sure that I understood your use case correctly. >> > If you have authenticated user in your service implementation from >> > SecurityContext, you can simply set property in client call context >> > and read this property in your client Token interceptor: >> > >> > >> > ((BindingProvider)proxy).getRequestContext().put("thread.local.request >> > .context", "true"); myUser = >> > securityContext.getAuthentication().getPrincipal(); >> > ((BindingProvider)proxy).getRequestContext().put("authenticatedUser", >> > myUser); >> > >> > >> > ... >> > public class TokenInterceptor extends >> > AbstractPhaseInterceptor<Message> { >> > >> > >> > public void handleMessage(Message message) { >> > String username = message.getContextualProperty( >> > "authenticatedUser"); >> > ... >> > } >> > >> > Regards, >> > Andrei. >> > >> > > -----Original Message----- >> > > From: Burkard Stephan [mailto:[email protected]] >> > > Sent: Freitag, 3. August 2018 15:13 >> > > To: [email protected] >> > > Subject: How to get username of authenticated user to create a token >> > > for a downstream call >> > > >> > > Hi >> > > >> > > I try to accomplish something I thought is quite a standard use case. >> > > I was probably wrong since I did not found a complete example for it. >> > > >> > > Goal: Build a secured CXF/SpringBoot webservice that calls other >> > > secured webservice(s). >> > > Setup: SpringBoot (1.5.x), CXF (3.1.x), WSS4J (2.1.x), Spring >> > > Security >> > > (4.2.x) >> > > >> > > **What I want to accomplish** >> > > >> > > - My CXF/SpringBoot webservice must authenticate requests against >> LDAP. >> > > => I have a working Spring Security setup with >> > > AuthenticationManager, UserDetailsService etc. >> > > => This setup depends on the Spring SecurityContext. >> > > >> > > - My CXF/SpringBoot webservice must accept WSS Username/Password >> > > (Plaintext). >> > > => I use a combination of SAAJInInterceptor and WSS4JInInterceptor >> > > (no password callback!) to create a UsernameToken from the WSS header. >> > > => I use a custom "ws-security.ut.validator" to create a Spring >> > > SecurityContext from the UsernameToken and authenticate the user >> > > against >> > LDAP. >> > > >> > > - My CXF/SpringBoot webservice must call a downstream webservice >> > > that accepts a proprietary token type. >> > > => This requires another CXF (client) endpoint configuration. >> > > => I use a custom out-interceptor that extends >> > > AbstractTokenInterceptor to add the proprietary token to the request. >> > > => However, currently the username is hardcoded because I don't >> > > know where to get it. >> > > >> > > Question: In my Spring SecurityContext I have the authenticated user. >> > > But how can I "hand over" the username to the TokenInterceptor? >> > > >> > > Question: Let's assume I do two downstream calls to finally create >> > > the response for the initial service request. Are these calls >> > > individual "contexts" from a CXF point of view or is there some kind >> > > of "management" around that holds all data of all the calls? >> > > >> > > Thanks >> > > Stephan >> > >> > As a recipient of an email from Talend, your contact personal data >> > will be on our systems. Please see our contacts privacy notice at >> > Talend, Inc. < https://www.talend.com/contacts-privacy-policy/> >> > >> > >> > >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
