John, Some time ago I started to develop a set of components (interceptors, callback handlers and features) to simplify integration between CXF and Spring Security. I've extended this a bit and wrote some documentation. The code is available as a Google Code project [1]. If you go for the two-headers approach, then your use case can be implemented with the existing components. Please refer to [2] for the documentation.
Andreas PS: The intention is still to make this code part of the CXF distribution. Several people were interested in this, but until now I was unable to recruit anybody to test, review and/or complete the code. [1] http://code.google.com/p/cxf-spring-security/ [2] http://code.google.com/p/cxf-spring-security/wiki/Documentation On Mon, Feb 1, 2010 at 22:55, johnpfeifer4 <[email protected]> wrote: > > I've done some digging... I'm going to need the username and password to > validate against our spring security authentication provider. > > I'm thinking that I could configure the interceptor to look for user/pass in > JMS Headers or in a single header (in the case of Basic Auth). I'll have to > dig around a bit more and let you know what I find. > > Thanks, > > John > > Andreas Veithen-2 wrote: >> >> Isn't the JMSXUserID set to the user who connected to the broker? >> Since John's use case is a HTTP->JMS bridge with HTTP Basic Auth, I >> would be surprised that the connection to the broker is opened using >> the credentials of the user who submitted the HTTP request. >> >> Andreas >> >> On Mon, Feb 1, 2010 at 21:16, Daniel Kulp <[email protected]> wrote: >>> >>> Christian recently did some updates to the JMS transport to pull the >>> JMSXUserID from the JMS Message and stick that into our SecurityContext. >>> You >>> would probably need an interceptor that would then take that and feed >>> that >>> into the Spring security context. If you do develop some >>> interceptors for >>> this, we'd love to have them. :-) >>> >>> Dan >>> >>> >>> >>> >>> On Mon February 1 2010 1:51:44 pm johnpfeifer4 wrote: >>>> I was wondering if anyone has an example of implement spring security >>>> with >>>> a CXF JMS Endpoint. We currently secure all of our endpoints with the >>>> <security:http> element, limiting access to certain endpoints to a >>>> particular role(s). >>>> >>>> Now we have a requirement to enforce security for JMS endpoints. It >>>> seems >>>> that the listener that picks it off the JMS queue would have to know >>>> where >>>> to find the credentials on the message. Perhaps we need to write our >>>> own >>>> interceptors to do this? >>>> >>>> I figured I would post here before I start my own investigation. Any >>>> help >>>> would be greatly appreciated. >>>> >>>> Thanks, >>>> >>>> John >>>> >>> >>> -- >>> Daniel Kulp >>> [email protected] >>> http://www.dankulp.com/blog >>> >> >> > > -- > View this message in context: > http://old.nabble.com/Spring-Security-with-CXF-JMS-Endpoint-tp27409262p27412082.html > Sent from the cxf-user mailing list archive at Nabble.com. > >
