Eamonn, Eamonn, Thanks you for this information, I tried what you suggested and got what I need working, thanks again.
--Steve Stephen Langella Co-Director Software Research Institute Center for IT Innovations in Healthcare Ohio State University Senior Researcher Department of Biomedical Informatics Ohio State University Office: (614) 293-9534 Lab: (614) 292-8420 stephen.lange...@osumc.edu > From: Eamonn Dwyer <eamdwyer...@hotmail.com> > Reply-To: <users@cxf.apache.org> > Date: Thu, 20 Aug 2009 14:37:45 +0100 > To: <users@cxf.apache.org> > Subject: RE: Determining Caller's Identity > > > Hi Dan and Dan > I think the attribute names maybe slightly different to the ones mentioned > below - looking at the code in SSLUtils.java propagateSecureSession they seem > to be > "javax.servlet.request.cipher_suite" and > "javax.servlet.request.X509Certificate". > > or if you feel like going the interceptor route the code would look something > like (though you will need to add code to distinguish between the clients own > certificate and the client's own certificate's CA chain > > .... > > > public class TestInterceptor extends AbstractPhaseInterceptor<Message> { > > public TestInterceptor() { > super(Phase.RECEIVE); > } > > public void handleMessage(Message message) throws Fault { > // TODO Auto-generated method stub > TLSSessionInfo tlsSessionInfo = > (TLSSessionInfo)message.get(TLSSessionInfo.class); > Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates(); > for (int i = 0; i < peerCerts.length; i++) { > X509Certificate x509certificate = (X509Certificate)peerCerts[i]; > System.out.println("x509certificate " + > x509certificate.getSubjectDN()); > > } > > } > > } > > the output would look like > x509certificate CN=bob, OU=eng, O=mycompany.com > x509certificate CN=trent, OU=eng, O=mycompany.com > > > Regs > Eamonn > > >> From: dk...@apache.org >> To: users@cxf.apache.org >> Subject: Re: Determining Caller's Identity >> Date: Wed, 19 Aug 2009 13:53:49 -0400 >> CC: stephen.lange...@osumc.edu >> >> On Wed August 19 2009 1:20:25 pm Stephen Langella wrote: >>> Josef, >>> >>> I tried what you suggested but context.getUserPrincipal() returned >>> null. Keep in mind I am using X.509 client certificates to authenticate >>> with the server, I am trying to get the subject DN from the clients >>> certificate as opposed to a basic authentication user id. Is this >>> supported or am I doing something wrong? In Googling around I found a >>> JIRA issue related to this and it is not clear whether or not what I am >>> trying to do is supported: >>> >>> https://issues.apache.org/jira/browse/CXF-1680 >> >> That had to do with X509 things withing a WS-Security secured message, not >> really using certs for SSL/https. For https, what you probably need to do >> is >> pull the HttpServletRequest out of the context >> (context.get(MessageContext.SERVLET_REQUEST)) and then use the >> HttpServletRequest.getAttribute(...) call to retrieve the various HTTPS >> attributes. "javax.net.ssl.peer_certificates" and >> "javax.net.ssl.cipher_suite" and such. >> >> Dan >> >> >>> >>> I would appreciate if someone would comment, thanks in advance. >>> >>> --Steve >>> >>> Stephen Langella >>> Co-Director >>> Software Research Institute >>> Center for IT Innovations in Healthcare >>> Ohio State University >>> >>> Senior Researcher >>> Department of Biomedical Informatics >>> Ohio State University >>> >>> Office: (614) 293-9534 >>> Lab: (614) 292-8420 >>> stephen.lange...@osumc.edu >>> >>>> From: Josef Bajada <josef.baj...@go.com.mt> >>>> Reply-To: <users@cxf.apache.org> >>>> Date: Wed, 19 Aug 2009 15:03:05 +0200 >>>> To: <users@cxf.apache.org> >>>> Subject: RE: Determining Caller's Identity >>>> >>>> If you use the servlet container's authentication and transport security >>>> methods (through WEB-INF/web.xml) to force authentication (such as HTTP >>>> BASIC Auth over HTTPS), you can simply put the following line in your >>>> service implementation class. >>>> >>>> >>>> /** >>>> * The web-service context will be automatically injected by the >>>> JAX-WS Container. >>>> */ >>>> @Resource >>>> private WebServiceContext context; >>>> >>>> >>>> //in your methods where you need to check the caller: >>>> if (context.getUserPrincipal() != null) >>>> { >>>> log.info(getUserPrincipal().getName() + ":: just called our >>>> methods"); >>>> } >>>> >>>> Regards, >>>> Josef >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: Eamonn Dwyer [mailto:eamdwyer...@hotmail.com] >>>> Sent: 19 August 2009 12:57 >>>> To: users@cxf.apache.org >>>> Subject: RE: Determining Caller's Identity >>>> >>>> >>>> Hi Stephen >>>> Not quite what you want but maybe you could do something like this >>>> inside an interceptor rather than inside your service. >>>> >>>> TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class); >>>> Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates(); >>>> ... check the peer certificates and authorize based on this >>>> >>>> Regards >>>> Eamonn >>>> >>>>> From: stephen.lange...@inventrio.com >>>>> To: users@cxf.apache.org >>>>> Subject: Determining Caller's Identity >>>>> Date: Tue, 18 Aug 2009 14:37:12 -0400 >>>>> >>>>> I have written and Apache CXF Web Service (WSDL First), inside the >>>>> service I want to enforce authorization based on the identity of the >>>>> client that called the service. I wanted to know if there was an API >>>>> >>>>> call I can make from the service implementation to obtain the client >>>>> identity. For example if the client authenticate over HTTPS with a >>>>> client certificate. >>>>> >>>>> --Steve >>>>> >>>>> Stephen Langella >>>>> Co-Founder >>>>> Inventrio, LLC >>>>> www.inventrio.com >>>>> >>>>> stephen.lange...@inventrio.com >>>> >>>> _________________________________________________________________ >>>> See all the ways you can stay connected to friends and family >>>> http://www.microsoft.com/windows/windowslive/default.aspx >> >> -- >> Daniel Kulp >> dk...@apache.org >> http://www.dankulp.com/blog > > _________________________________________________________________ > See all the ways you can stay connected to friends and family > http://www.microsoft.com/windows/windowslive/default.aspx