Thanks for clarifying things. I'll go about having both WSS4J and JAAS use the same user credentials source.
Much appreciated! Freeman Fang wrote: > > Hi, > My comment inline. > On 2010-5-28, at 上午6:23, IvanMiletic wrote: > >> >> Hi, >> >> First off, I'm pretty new to all of this. I'm using ServiceMix 3.3.2. >> >> I wanted to secure the cxf-wsdl-first example using WS-Sec and only a >> plaintext UsernameToken. I added a policy to the wsdl file, which >> you can >> fine here: http://old.nabble.com/file/p28700520/person.wsdl >> person.wsdl . I >> didn't really change anything else. >> >> My understanding was that the cxf-bc would just use JAAS out-of-the- >> box to >> authenticate a user. I guess I was wrong. I got an exception about the >> WSS4JInInterceptor's getPasswordCB containing a null reference. >> Looking >> throughout the web, I see that people explicitly add the >> WSS4JInInterceptor, >> with references their own password callbacks, which in turn also >> does some >> kind of password check. >> >> I'm confused, because now it looks to me like both WSS4J and JAAS >> are doing >> authentication. Is that correct? If so, why? > Yeah, both wss4j and JAAS are doing authentication. > About wss4j, the callback handler must be here, as it's requested by > wss4j, this is ws-security concept auth, we can't skip it when we > introduce ws-security which bring us username/passward with soap > security header. > About JAAS, we can get username/password from ws-security > UsernameToken soap header and delegate to smx AuthenticationService, > that's what JbiJAASInterceptor do, this is smx auth. > So here we actually have two auth, one from ws-security > UsernameToken(can only do username/password) an one from smx > AuthenticationService(can do username/password and role definition). > However in the callback handler, you can load $SMX_HOME/conf/users- > passwords.properties programtically and set password accordingly, I > believe by this way, it meet your requirement for only one source of > userinfo. > > Or if you only want to do ussername/password auth, you doesn't care > the role provided by smx, you can only use ws-security UsernameToken, > you need add delegateToJaas="false" flag to cxfbc consumer endpoint to > bypass the JbiJAASInterceptor. > > Note: delegateToJaas is new added flag which is tracked by > SMXCOMP-697[1], if you use latest released Apache Servicemix 3.3.2, > you can use it. > > [1]https://issues.apache.org/activemq/browse/SMXCOMP-697 > > Freeman > >> >> I would like for there to only be one source for user info. >> >> Thanks, >> >> -- >> View this message in context: >> http://old.nabble.com/CXF-BC-WS-Sec-Auth-tp28700520p28700520.html >> Sent from the ServiceMix - User mailing list archive at Nabble.com. >> > > > -- > Freeman Fang > ------------------------ > Open Source SOA: http://fusesource.com > > > -- View this message in context: http://old.nabble.com/CXF-BC-WS-Sec-Auth-tp28700520p28734875.html Sent from the ServiceMix - User mailing list archive at Nabble.com.
