Hi,
My comment inline.
On 2010-5-28, at 上午6:23, IvanMiletic wrote:
Hi,
First off, I'm pretty new to all of this. I'm using ServiceMix 3.3.2.
I wanted to secure the cxf-wsdl-first example using WS-Sec and only a
plaintext UsernameToken. I added a policy to the wsdl file, which
you can
fine here: http://old.nabble.com/file/p28700520/person.wsdl
person.wsdl . I
didn't really change anything else.
My understanding was that the cxf-bc would just use JAAS out-of-the-
box to
authenticate a user. I guess I was wrong. I got an exception about the
WSS4JInInterceptor's getPasswordCB containing a null reference.
Looking
throughout the web, I see that people explicitly add the
WSS4JInInterceptor,
with references their own password callbacks, which in turn also
does some
kind of password check.
I'm confused, because now it looks to me like both WSS4J and JAAS
are doing
authentication. Is that correct? If so, why?
Yeah, both wss4j and JAAS are doing authentication.
About wss4j, the callback handler must be here, as it's requested by
wss4j, this is ws-security concept auth, we can't skip it when we
introduce ws-security which bring us username/passward with soap
security header.
About JAAS, we can get username/password from ws-security
UsernameToken soap header and delegate to smx AuthenticationService,
that's what JbiJAASInterceptor do, this is smx auth.
So here we actually have two auth, one from ws-security
UsernameToken(can only do username/password) an one from smx
AuthenticationService(can do username/password and role definition).
However in the callback handler, you can load $SMX_HOME/conf/users-
passwords.properties programtically and set password accordingly, I
believe by this way, it meet your requirement for only one source of
userinfo.
Or if you only want to do ussername/password auth, you doesn't care
the role provided by smx, you can only use ws-security UsernameToken,
you need add delegateToJaas="false" flag to cxfbc consumer endpoint to
bypass the JbiJAASInterceptor.
Note: delegateToJaas is new added flag which is tracked by
SMXCOMP-697[1], if you use latest released Apache Servicemix 3.3.2,
you can use it.
[1]https://issues.apache.org/activemq/browse/SMXCOMP-697
Freeman
I would like for there to only be one source for user info.
Thanks,
--
View this message in context:
http://old.nabble.com/CXF-BC-WS-Sec-Auth-tp28700520p28700520.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
--
Freeman Fang
------------------------
Open Source SOA: http://fusesource.com
