Hi Kynan
Hi Sergey,
Yes thanks. As I thought, I'd already written the filter to use the
HttpHeaders directly but was wondering if there was another preferred/better
way.
I've looked at the AbstractHttpDestination class, an inbound message should have
AuthorizationPolicy.class available when the basic authentication is used,
message.get(AuthorizationPolicy.class)
it should make it simpler getting to the user name/password if needed.
For note: there's a bug in HttpHeadersImpl which cannot handle a header
which is a non-empty collection populated with a single null item - in
HttpHeadersImpl:
thanks for reporting it, fixed now on the trunk
cheers, Sergey
private List<String> getListValues(String headerName) {
List<String> values = headers.get(headerName);
if (values == null || values.isEmpty()) {
return Collections.emptyList();
}
if (HttpUtils.isDateRelatedHeader(headerName)) {
return values;
}
String[] ls = values.get(0).split(",");
if (ls.length == 1) {
return Collections.singletonList(ls[0].trim());
} else {
List<String> newValues = new ArrayList<String>();
for (String v : ls) {
newValues.add(v.trim());
}
return newValues;
}
}
Should be :
private List<String> getListValues(String headerName) {
List<String> values = headers.get(headerName);
// add check here if first value in collection is null
if (values == null || values.isEmpty() || values.get(0) == null) {
return Collections.emptyList();
}
if (HttpUtils.isDateRelatedHeader(headerName)) {
return values;
}
String[] ls = values.get(0).split(",");
if (ls.length == 1) {
return Collections.singletonList(ls[0].trim());
} else {
List<String> newValues = new ArrayList<String>();
for (String v : ls) {
newValues.add(v.trim());
}
return newValues;
}
}
Otherwise the values.get(0).split will throw NPE.
Regards,
Kynan
Sergey Beryozkin-2 wrote:
Hi Kynan
here's a sample CustomInvoker :
http://svn.apache.org/repos/asf/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
At the moment filters/invokers can not get contexts like SecurityContext
injected so it has to be created manually.
Or you can just get m.get(org.apache.cxf.security.SecurityContext.class)
from the message and get Principal from there.
Or would you like to work directly with HTTP headers ? They're availbale
on the message too, you can also do
HttpHeaders headers = new HttpHeadersImpl(m) and use HttpHeaders...
Let me know please if you need more info
cheers, Sergey
----- Original Message -----
From: "Kynan Fraser" <[email protected]>
To: <[email protected]>
Sent: Thursday, July 02, 2009 9:44 AM
Subject: Re: Security in Jaxws/Jaxrs
Hi Sergey,
As a follow up to this, i'm trying to implement a basic http filter using
a
request handler. Is there a way to obtain the http auth info? I can't
find
it on any of the contexts or message.
Is there an example of a basic auth client and a request handler or
custom
invoker handling the authentication?
Thanks,
Kynan
Sergey Beryozkin wrote:
Hi Vishal
I'm very sorry for a late reply - I was planning to reply much earlier
but
then I got swamped with some work and forgot.
There're a number of options, depending on your preferences
1. Do it in the application code, in the resource class. This is may or
may not the best option. Typically this is something users prefer to do
outside of the application code. But then you may want to look at the
resource class which checks the injected SecurityContexts as the facade
or
as an interceptor really which delegates to the actual application class
which may make this option more viable.
So in this case you have to have
@Resource WebServiceContext jaxwsContext;
@Context SecurityContext jaxrsSecurityContext;
declared in your code. Next, you need to figure out whether it's a JAXWS
or JAXRS invocation in progress, so you can do it like this
// not sure at the moment how exactly to get security context from jaxws
one
if (jaxwsContext.getSecurityContext() == null) {
checkPrincipal(jaxrsSecurityContext.getPrincipal());
} else {
checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
}
2. Use Spring security - we have some simple tests showing how
authentication and authorization can be done
3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
simply extends JAXRSInvoker and is registered as an invoker property)
where you can get all the info you need (method name, Principal, etc)
For JAXWS : do a custom CXF in Interceptor which will throw Fault if
needed.
Perhaps there're more options... Let me know please if you need more
info
on any of the these options
Cheers, Sergey
Vishal.a wrote:
Hello All,
I have services written,that have both JaxRs and Jaxws.I have to
implement security on the services now.There are 2 things i need to do
1. Authentication - Using Basic Http Authentication
2. Authorization - Secure each and every method.
I have seen posts that show me how to do for either JaxRS or Jaxws,can
someone tell me what would be the best way to approach it for doing it
for both REST and SOAP.
Any help is appreciated.
Thanks,
Vishal
--
View this message in context:
http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24303305.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
View this message in context:
http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24315708.html
Sent from the cxf-user mailing list archive at Nabble.com.
