I haven't done that with CXF STS, however I did it with regular WSS4J username
token & JAAS:
<bean id="svc" class="org.code_house.cxf.secure.CustomerServiceImpl" />
<jaxws:endpoint id="customerService" implementor="#svc" address="/customer">
<jaxws:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<argument>
<map>
<entry key="action" value="UsernameToken"/>
</map>
</argument>
</bean>
<bean
class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
<property name="contextName" value="test" />
</bean>
<bean
class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="svc"/>
</bean>
</jaxws:inInterceptors>
<jaxws:properties>
<entry key="ws-security.validate.token" value="false" />
<!-- Only verification of auth headers
<entry key="ws-security.ut.validator">
<bean
class="org.apache.ws.security.validate.JAASUsernameTokenValidator">
<property name="contextName" value="test" />
</bean>
</entry>
-->
</jaxws:properties>
</jaxws:endpoint>
With this configuration CXF checks @RolesAllowed. Roles are defined in JAAS
login module.
Best regards,
Lukasz
Wiadomość napisana przez Christian Schneider <[email protected]> w dniu
21 lut 2013, o godz. 01:13:
> I am currently trying to do a similar thing. I try to authenticate against a
> CXF Secure Token Service using a client cert. Currently CXF STS has some
> modules for authorization.
> To get this out of STS I try to switch the authorization to JAAS. The problem
> is that in JAAS you can not simply get the roles of a user. You only get the
> roles after you do a login.
>
> So what I am trying to do is use or create a CertificateLoginModule for JAAS
> that can work with either SSL client certs or ws-security cert + signature.
>
> Perhaps this can even be done in a simpler way. I wonder if I could simply
> create a LDAP Login Module that does no authentication and instead simply
> uses a fixed user to fetch the role infos from LDAP.
> In any case I will report my progress and it would be great if you could also
> write if you find something.
>
> Christian
>
>
> Am 20.02.2013 19:17, schrieb Lars-Erik Helander:
>> Thanks Achim,
>>
>> do you have any suggestions on where I can find documentation/examples that
>> could be of help to me, e.g. how to configure my web app to "force" login
>> via client certs?
>>
>> Thanks
>>
>> Lars
>>
>> Skickat från min iPhone
>>
>> 20 feb 2013 kl. 17:41 skrev Achim Nierbeck <[email protected]>:
>>
>>> Hi Lars,
>>>
>>> I think it should be possible. At least right now I don't see anything
>>> objecting to this. As Pax Web already does work with certs, you have the
>>> credentials for it. Now you just need to make sure you're configuration for
>>> the authorization is delegated to the underlying JAAS. This should be
>>> possible.
>>> It probably needs a bit of tweaking and researching since it's a
>>> not-out-of-the-box situation.
>>>
>>> Let us know if it worked out :)
>>>
>>> regards, Achim
>>>
>>>
>>> 2013/2/20 Lars-Erik Helander <[email protected]>
>>> Lukasz & Achim,
>>>
>>> Thanks for the feedback.
>>>
>>> No, I do not have a working stand alone jetty solution to "port".
>>>
>>> The solution works as follows today:
>>>
>>> The client which is another system and not a human user, autthenticates to
>>> the Karaf "server" using a client cert. No login takes place so its just a
>>> matter of transport level security. The receiving servlet makes an explicit
>>> call to an LDAP server to get the role(s) associated with the client. The
>>> LDAP search is based on the user principal established during the ssl
>>> session setup (principal info comes from the client certificate). I would
>>> like to move away from doing the LDAP call in my application (servlet) and
>>> instead make the LDAP interaction via JAAS. I guess I woul need to do at
>>> least two things:
>>> 1) configure JAAS with an LDAP login module
>>> 2) force login to take place, probably by somehow configure the specific
>>> URL as being protected an somehow configure/code that login usin client
>>> certificate shall take place
>>>
>>> Is this possible?
>>>
>>> Thanks
>>>
>>> /Lars
>>>
>>> Skickat från min iPhone
>>>
>>> 20 feb 2013 kl. 15:17 skrev Łukasz Dywicki <[email protected]>:
>>>
>>>> I was thinking about something more complex [1] where principals may be
>>>> populated from peer certificate.
>>>>
>>>> [1]
>>>> https://github.com/jboss-switchyard/core/blob/master/security/base/src/main/java/org/switchyard/security/login/CertificateLoginModule.java
>>>>
>>>> Cheers,
>>>> Lukasz
>>>>
>>>> Wiadomość napisana przez Achim Nierbeck <[email protected]> w dniu
>>>> 20 lut 2013, o godz. 15:11:
>>>>
>>>>> Lukasz,
>>>>>
>>>>> Pax-Web should work with Certificates already, it just needs a proper
>>>>> combination of the authentication which should be done by Pax-Web and the
>>>>> authorization which should be done by the JAAS part of Karaf.
>>>>>
>>>>> regards, Achim
>>>>>
>>>>>
>>>>> 2013/2/20 Łukasz Dywicki <[email protected]>
>>>>> I think you may get this with chaining JAAS login modules in login
>>>>> context configuration, however we don't ship certificate login module yet.
>>>>>
>>>>> Which certificate login module do you use now?
>>>>>
>>>>> Lukasz
>>>>>
>>>>> Wiadomość napisana przez Achim Nierbeck <[email protected]> w dniu
>>>>> 20 lut 2013, o godz. 11:20:
>>>>>
>>>>>> Hi Lars,
>>>>>>
>>>>>> I'm sure it's possible. Do you have a working "simple" Application that
>>>>>> already works on a std. jetty?
>>>>>> If so, try to port those things needed to karaf.
>>>>>> Karaf supports JAAS so if you are able to get your JAAS configuration
>>>>>> working I'm sure it's a easy move over.
>>>>>>
>>>>>> To my understanding the user attached to the certificate needs to be
>>>>>> know in the jaas part.
>>>>>> Since the authentication is done via certificate the JAAS part is only
>>>>>> needed for the authorization.
>>>>>>
>>>>>> Regards, Achim
>>>>>>
>>>>>>
>>>>>> 2013/2/19 helander <[email protected]>
>>>>>> Hi,
>>>>>> I am connecting to a web application in Karaf using https and a client
>>>>>> certificate and it works fine.
>>>>>> Now I want to associate the authenticated client with a set of roles
>>>>>> defined
>>>>>> in a JAAS login module, e.g. in user.properties or via LDAP. Is this
>>>>>> possible? How to set it up? What "user" name could be used, e.g. what
>>>>>> part
>>>>>> of the client certificate would the user identity be selected from?
>>>>>>
>>>>>> Any help is highly appreciated.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Lars
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> View this message in context:
>>>>>> http://karaf.922171.n3.nabble.com/Https-2-way-authentication-and-JAAS-tp4027804.html
>>>>>> Sent from the Karaf - User mailing list archive at Nabble.com.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>>>>>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer
>>>>>> & Project Lead
>>>>>> OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home>
>>>>>> Commiter & Project Lead
>>>>>> blog <http://notizblog.nierbeck.de/>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>>>>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
>>>>> Project Lead
>>>>> OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home>
>>>>> Commiter & Project Lead
>>>>> blog <http://notizblog.nierbeck.de/>
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>>> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
>>> Project Lead
>>> OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home>
>>> Commiter & Project Lead
>>> blog <http://notizblog.nierbeck.de/>
>
>
> --
>
> Christian Schneider
> http://www.liquid-reality.de
>
> Open Source Architect
> Talend Application Integration Division http://www.talend.com
