Hi Christian,
meanwhile I was also able to access a simple CXF endpoint from remote that has
been defined in blueprint, including authorization and authentication. My only
remaining problem with that solution is that I don't know how to define
something like a placeholder for the address value to get a IP specific
address. A placeholder definition value like {{hostIP}} doesn't seems to be
replaced.
Is there maybe another way to achieve this?
Thanks
Christian
--
Christian Niehues
Tel.: +49 (0)221 820 07 27
----------------------------------------------------------------
ITS Digital Solutions GmbH
Dillenburger Str. 77
D-51105 Köln
Tel.: +49 (0)221 820 07 0
Fax : +49 (0)221 820 07 22<tel:%2B49%20%280%29221%20820%2007%2022>
Mail: [email protected]<mailto:[email protected]>
Web : http://www.its-digital.de<http://www.its-telco.de/>
----------------------------------------------------------------
Sitz der Gesellschaft: Dortmund
Amtsgericht Dortmund, HRB 28563
Geschäftsführer: Gunnar Haack, Ludger Schulte, Heinrich Toben, Raimund Schipp,
Ralf Petersilka
----------------------------------------------------------------
Diese E-Mail enthält vertrauliche Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie
bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte
Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
This e-mail may contain confidential information. If you are not the intended
recipient (or have received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorised copying, disclosure or
distribution of the material in this e-mail is strictly forbidden.
________________________________
Von: Christian Schneider <[email protected]>
Gesendet: Montag, 29. Oktober 2018 16:57:14
An: [email protected]
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
Hi Christian,
the JAASAuthenticationFeature only does authentication.
When deployed in karaf the default realm should be fine.
For authorisation see e.g the SimpleAuthorizingInterceptor.
http://cxf.apache.org/docs/securing-cxf-services.html
Christian
Am Mo., 29. Okt. 2018 um 09:42 Uhr schrieb Niehues, Christian
<[email protected]<mailto:[email protected]>>:
I was not able to add an interceptor by setting a service property (I used
"org.apache.cxf.ws.in.interceptors").
But I followed your advice and tried to use a CXF feature. I noticed that there
is a ready-to-use JAASAuthenticationFeature so I registered it as a service
intend. If I understand it right I can select the realm to use by setting the
contextname of the feature but it is also possible to choose a specific group
or user?
Thanks
Christian
________________________________
Von: Christian Schneider
<[email protected]<mailto:[email protected]>>
Gesendet: Freitag, 26. Oktober 2018 12:44:05
An: [email protected]<mailto:[email protected]>
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
Any webservice exported using blueprint is accessible from remote. You will
only not see it as a rsa remote service.
What I meant is. Can you export your service using rsa but without an Export
policy if you add the interceptor as a service property? I am not sure if this
kind of interceptors work with the current cxf dosgi versions.
In general the recommended practice for securing services is using a CXF
feature and refer to it as an intent. For example the new CXF logging feature
registers itself as an intent.
https://github.com/apache/cxf/blob/master/rt/features/logging/src/main/java/org/apache/cxf/ext/logging/osgi/Activator.java#L89-L90
The rest example readme shows how to add such an intent to your service:
https://github.com/apache/cxf-dosgi/blob/59e432afabb2a8f6a812b2a8f12cda68f4bfa775/samples/rest/README.md#add-logging-intent
(Basically you simply add a service property "service.exported.intents" with
your intent name as value).
This way you could create a feature that adds the security interceptors and
export it with intent name "mysecurity" and then add the service property above
to all services that should be secured.
The ExportPolicy is only needed if you want to add this property transparently
to your services without touching them.
Christian
Am Fr., 26. Okt. 2018 um 12:27 Uhr schrieb Niehues, Christian
<[email protected]<mailto:[email protected]>>:
It works if I define the service as CXF endpoint in blueprint. But if I set it
there it is not published as RSA endpoint and so it seems it's not accessible
from remote.
Christian
________________________________
Von: Christian Schneider
<[email protected]<mailto:[email protected]>>
Gesendet: Donnerstag, 25. Oktober 2018 17:24:40
An: [email protected]<mailto:[email protected]>
Betreff: Re: Aries RSA: securing exported services with ExportPolicy
Does it work if you set the interceptor directly on the service?
Christian
Am Do., 25. Okt. 2018 um 08:57 Uhr schrieb Niehues, Christian
<[email protected]<mailto:[email protected]>>:
Hi,
I try to export a service in my karaf to be able to process SOAP messages sent
from remote client but I am facing problems to secure it. The documentation for
Aries RSA about the TopologyManager notes that ExportPolicy implementations can
be used to add authentication but I am missing further details.
I tried to achieve it by adding an interceptor in my ExportPolicy but that
seems not to help:
props.put("service.exported.configs",
"org.apache.cxf.ws<http://org.apache.cxf.ws>");
props.put("org.apache.cxf.ws.address", "http://192.168.1.100:9000/sync";);
props.put("org.apache.cxf.ws.in.interceptors", "com.acme.MyInterceptor");
com.acme.Myinterceptor extends
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
I also tried to provide the Interceptor classname as List<String> or String[]
but that didn't work either, the interceptor never get's invoked when sending
messages.
So what I am doing wrong or is there any other/better way to secure a service
provided by Aries RSA?
Thanks,
Christian
--
--
Christian Schneider
http://www.liquid-reality.de
Computer Scientist
http://www.adobe.com
--
--
Christian Schneider
http://www.liquid-reality.de
Computer Scientist
http://www.adobe.com
--
--
Christian Schneider
http://www.liquid-reality.de
Computer Scientist
http://www.adobe.com
