Hi Sergey, Sorry for the delay.
At first I would like to say you that my work about BasicAuthAuthorizationInterceptor is just a POC and I have tried to manage security with Basic AuthAuthorization + use roles of users by creating a SecurityContext. Here process of BasicAuthAuthorizationInterceptor (which looks like JAASLoginInterceptor) : 1) Check if there is If there is a AuthorizationPolicy in the message. If AuthorizationPolicy is null it throw"HTTP Status-Code 401: Unauthorized". 2) Check user+password. This feature is delegated by an implementation of BasicAuthAuthorizationContext (like SimpleBasicAuthAuthorizationContext which manage user+password with Map). In my case I have implemented BasicAuthAuthorizationContext with my Security Manager. 3) If user+password is bad it throw "HTTP Status-Code 401: Unauthorized." 4) Otherwise create a SecurityContext and store it in the message (like JAASLoginInterceptor) ONLY if BasicAuthAuthorizationContext#getUserRolesContext() is not null. In my case I don't use this feature but I have tried to implement itot have the same thing than JAASLoginInterceptor. I think that SecurityContext will be not used well with Basic Authentification : having security for method of services is not very lot used I think. Hope you will understand my explanation. Regards Angelo 2011/6/14 Sergey Beryozkin <[email protected]> > I can actually see the source (thanks to Christian for pointing me to > it :-)) but I'd like to understand what are you trying to do besides > enforcing that BasicAuth is there. I thought you needed to get > username & password and get the custom authentication done by > interacting somehow with your custom SecurityManager, right ? I'm not > sure we can generilize that process in CXF itself, the process of > communicating with the custom SecurityManager - JAAS or/and Spring is > there for that. > > Can you explain please what BasicAuthAuthorizationInterceptor actually > does ? > > That is why I asked this question :-) > > thanks, Sergey > > On Tue, Jun 14, 2011 at 4:50 PM, Sergey Beryozkin <[email protected]> > wrote: > > Hi > > Can you explain please what BasicAuthAuthorizationInterceptor actually > does ? > > > > We really need source of that interceptor, ideally attached as a patch to > JIRA > > thanks, Sergey > > > > On Tue, Jun 14, 2011 at 4:23 PM, Angelo zerr <[email protected]> > wrote: > >> Hi Sergey, > >> > >> I have attached a zip with my work. It's a WTP Eclipse project where you > can > >> find BasicAuthAuthorizationInterceptor in the > >> org.apache.cxf.interceptor.security.basic package. > >> There is a sample with Basic authentification authorization with NO > roles : > >> > >> --------------------------------------------------------- > >> <!-- WebServices with Basic Authentification Authorization --> > >> <jaxws:endpoint xmlns:tns="http://server.sample/"; id="helloworld" > >> implementor="sample.server.HelloWorld" > >> wsdlLocation="wsdl/helloworld.wsdl" > >> endpointName="tns:HelloWorldPort" > >> serviceName="tns:HelloWorldService" > >> address="/HelloWorldPort"> > >> <jaxws:features> > >> <bean class="org.apache.cxf.feature.LoggingFeature" /> > >> </jaxws:features> > >> <jaxws:inInterceptors> > >> <ref bean="basicAuthAuthorization1" /> > >> </jaxws:inInterceptors> > >> </jaxws:endpoint> > >> > >> <bean id="basicAuthAuthorization1" > >> > >> > class="org.apache.cxf.interceptor.security.basic.BasicAuthAuthorizationInterceptor"> > >> <property name="realmName" value="MyRealm" /> > >> <property name="authorizationContext"> > >> <bean > >> > >> > class="org.apache.cxf.interceptor.security.basic.SimpleBasicAuthAuthorizationContext"> > >> <property name="usersMap"> > >> <map> > >> <entry key="ffang" value="pswd" /> > >> </map> > >> </property> > >> </bean> > >> </property> > >> </bean> > >> ---------------------------------------------------------- > >> > >> And sample with Basic authentification authorization with roles : > >> > >> ---------------------------------------------------------- > >> > >> <!-- WebServices with Basic Authentification Authorization + Roles > --> > >> <jaxws:endpoint xmlns:tns="http://server.sample/"; id="helloworld2" > >> implementor="sample.server.HelloWorld" > >> wsdlLocation="wsdl/helloworld.wsdl" > >> endpointName="tns:HelloWorldPort" > >> serviceName="tns:HelloWorldService" > >> address="/HelloWorldPort2"> > >> <jaxws:features> > >> <bean class="org.apache.cxf.feature.LoggingFeature" /> > >> </jaxws:features> > >> <jaxws:inInterceptors> > >> <ref bean="basicAuthAuthorization2" /> > >> <ref bean="authorizationInterceptor" /> > >> </jaxws:inInterceptors> > >> </jaxws:endpoint> > >> > >> <bean id="basicAuthAuthorization2" > >> > >> > class="org.apache.cxf.interceptor.security.basic.BasicAuthAuthorizationInterceptor"> > >> <property name="realmName" value="MyRealm" /> > >> <property name="authorizationContext"> > >> <bean > >> > >> > class="org.apache.cxf.interceptor.security.basic.SimpleBasicAuthAuthorizationContext"> > >> <property name="usersMap"> > >> <map> > >> <entry key="ffang" value="pswd" /> > >> </map> > >> </property> > >> <property name="userRolesContext"> > >> <bean > >> > >> > class="org.apache.cxf.interceptor.security.basic.SimpleUserRolesContext"> > >> <property name="userRolesMap"> > >> <map> > >> <entry key="ffang" value="ROLE1 ROLE2" > /> > >> </map> > >> </property> > >> </bean> > >> </property> > >> </bean> > >> </property> > >> </bean> > >> > >> <bean id="authorizationInterceptor" > >> > >> > class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"> > >> <property name="methodRolesMap"> > >> <map> > >> <entry key="hello" value="ROLE1" /> > >> </map> > >> </property> > >> </bean> > >> ---------------------------------------------------------- > >> > >> If you start your server at localhost 8080 you can launch teh client : > >> > >> * HelloWorld_PortTypeClient which call the first service (with no > roles). > >> * HelloWorld_PortTypeClient2 which call the second service (with roles). > >> > >> Everything works with interface and I have implemented with Simple* > class > >> which works with Map but you can implements with another mean if you > wish. > >> > >> Hope you will like it. > >> > >> Regards Angelo > >> 2011/6/14 Sergey Beryozkin <[email protected]> > >>> > >>> > > >>> > No problem:) Ok I have implemented this feature. Now I tell me if > >>> > SecurityContext should be implemented (if Principal is null) for > Basic > >>> > Interceptor like JAASLoginInterceptor which put a SecurityContext. > The > >>> > only > >>> > question is how set roles? But if we do that we could use > >>> > afterSimpleAuthorizingInterceptor > >>> > >>> You can use org.apache.cxf.common.security.SimplePrincipal just to > >>> wrap up a principal name. > >>> DefaultSecurityContext (roles represented as Groups, > >>> org.apache.cxf.common.security.SimpleGroup helper is there) and > >>> RolePrefixSecurityContextImls (role names start with some prefix like > >>> ROLE_) can be used to provide a SecurityContext on a current message. > >>> They all expect a Subject instance which you can easily create with > >>> the help of SimplePrincipal (and SimpleGroup if needed) > >>> > >>> Cheers, Sergey > >>> > >>> > >>> > > >>> > Regards Angelo > >>> > > >>> > > >>> >> On Tue, Jun 14, 2011 at 10:54 AM, Angelo zerr < > [email protected]> > >>> >> wrote: > >>> >> > Ok I believe understand your idea about realm. I have added a > setter > >>> >> > in > >>> >> my > >>> >> > Interceptor : > >>> >> > > >>> >> > AbstractBasicAuthAuthorizationInterceptor#setRealName(String > >>> >> > realName) > >>> >> which > >>> >> > compute WWW-Authenticate. > >>> >> > Ex : > AbstractBasicAuthAuthorizationInterceptor#setRealName("MyRealm") > >>> >> will > >>> >> > returns > >>> >> > > >>> >> > WWW-Authenticate: Basic realm="MyRealm" > >>> >> > > >>> >> > If no realm defined, WWW-Authenticate is not returned. Is that > your > >>> >> idea? > >>> >> > WWW-Authenticate is not required? Do you think we should set a > >>> >> > default > >>> >> value > >>> >> > for Realm? > >>> >> > > >>> >> > Regards Angelo > >>> >> > > >>> >> > 2011/6/14 Angelo zerr <[email protected]> > >>> >> > > >>> >> >> Hi Sergey, > >>> >> >> > >>> >> >> 2011/6/14 Sergey Beryozkin <[email protected]> > >>> >> >> > >>> >> >>> Hi > >>> >> >>> > >>> >> >>> That interceptor should be more neutral, should' not extend a > SOAP > >>> >> >>> interceptor. > >>> >> >>> > >>> >> >> > >>> >> >> Ok, I have done like JAASLoginInterceptor (extends > >>> >> >> AbstractPhaseInterceptor<Message> + constructor initialized with > >>> >> >> super(Phase.UNMARSHAL);) and it works. > >>> >> >> > >>> >> >> > >>> >> >>> The other thing you may want to do is to configure it with a > realm > >>> >> >>> name and if it's not set then > >>> >> >>> do not add a realm parameter to the response. > >>> >> >>> > >>> >> >> > >>> >> >> Could you explain me more your idea please. > >>> >> >> > >>> >> >> > >>> >> >>> > >>> >> >>> FYI, CXF ships JAASLoginInterceptor - which will check if Basic > (or > >>> >> >>> other similar HTTP Authorization type was set) > >>> >> >>> and then will delegate to JAAS to do the actual authentication: > >>> >> >>> > http://cxf.apache.org/docs/security.html#Security-Authentication > >>> >> >>> > >>> >> >>> I propose that you create a patch in rt/core, > >>> >> >>> org.apache.cxf.interceptor.security package, that will make it > >>> >> >>> easier > >>> >> >>> for me to move the relevant code to a rt/security module > >>> >> >>> > >>> >> >> > >>> >> >> My first idea is to create a WTP sample application with my code > (I > >>> >> >> have > >>> >> >> created org.apache.cxf.interceptor.security.basic package) and > send > >>> >> >> you > >>> >> with > >>> >> >> sample which work. > >>> >> >> After I could create a patch if you need. > >>> >> >> > >>> >> >> Regards Angelo > >>> >> >> > >>> >> >>> > >>> >> >>> Thanks, Sergey > >>> >> >>> > >>> >> >>> On Tue, Jun 14, 2011 at 7:38 AM, Angelo zerr > >>> >> >>> <[email protected]> > >>> >> >>> wrote: > >>> >> >>> > Hi Freeman, > >>> >> >>> > > >>> >> >>> > Thank a lot for your answer. I will prepare you a contribution > >>> >> >>> > and > >>> >> send > >>> >> >>> you. > >>> >> >>> > > >>> >> >>> > Regards Angelo > >>> >> >>> > > >>> >> >>> > 2011/6/14 Freeman Fang <[email protected]> > >>> >> >>> > > >>> >> >>> >> Hi, > >>> >> >>> >> > >>> >> >>> >> Sure, any contribution is welcome. > >>> >> >>> >> > >>> >> >>> >> And in CXF we also can use jetty security handler to enable > >>> >> >>> >> basic > >>> >> auth > >>> >> >>> >> which can configure the realm easily, we have a system > testcase > >>> >> >>> >> for > >>> >> >>> it[1], > >>> >> >>> >> you may wanna take a look. > >>> >> >>> >> > >>> >> >>> >> [1] > >>> >> >>> >> > >>> >> >>> > >>> >> > >>> >> > https://svn.apache.org/repos/asf/cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/JettyBasicAuthTest.java > >>> >> >>> >> Freeman > >>> >> >>> >> > >>> >> >>> >> On 2011-6-13, at 下午11:34, Angelo zerr wrote: > >>> >> >>> >> > >>> >> >>> >> Hi CXF Team, > >>> >> >>> >>> > >>> >> >>> >>> I would like to manage WebService with HTTP Basic CXF > >>> >> >>> >>> Interceptor > >>> >> and > >>> >> >>> I > >>> >> >>> >>> have > >>> >> >>> >>> not found this interceptor in the CXF. So I have used the > great > >>> >> code > >>> >> >>> from > >>> >> >>> >>> > >>> >> >>> >>> > >>> >> >>> > >>> >> > >>> >> > http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/and > >>> >> >>> >>> it works great. > >>> >> >>> >>> I have noticed that some projects like > >>> >> >>> >>> > >>> >> >>> >>> > >>> >> >>> > >>> >> > >>> >> > http://code.google.com/p/fenius/source/browse/trunk/fenius-util/src/main/java/is/glif/fenius/util/BasicAuthAuthorizationInterceptor.java?r=111have > >>> >> >>> >>> used this code and I tell me why CXF doesn't include the > >>> >> >>> >>> BasicAuthAuthorizationInterceptor class? > >>> >> >>> >>> > >>> >> >>> >>> I have modified BasicAuthAuthorizationInterceptor to > delegate > >>> >> >>> >>> user/password > >>> >> >>> >>> to another interface implementation and if you wish I could > >>> >> >>> >>> send > >>> >> you > >>> >> >>> my > >>> >> >>> >>> work > >>> >> >>> >>> and tell to the author of the > BasicAuthAuthorizationInterceptor > >>> >> >>> >>> if > >>> >> he > >>> >> >>> is > >>> >> >>> >>> OK > >>> >> >>> >>> to contribute to CXF. > >>> >> >>> >>> > >>> >> >>> >>> Thank a lot for your answer. > >>> >> >>> >>> > >>> >> >>> >>> Regards Angelo > >>> >> >>> >>> > >>> >> >>> >> > >>> >> >>> >> --------------------------------------------- > >>> >> >>> >> Freeman Fang > >>> >> >>> >> > >>> >> >>> >> FuseSource > >>> >> >>> >> Email:[email protected] > >>> >> >>> >> Web: fusesource.com > >>> >> >>> >> Twitter: freemanfang > >>> >> >>> >> Blog: http://freemanfang.blogspot.com > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> >> > >>> >> >>> > > >>> >> >>> > >>> >> >> > >>> >> >> > >>> >> > > >>> >> > >>> >> > >>> >> > >>> >> -- > >>> >> Sergey Beryozkin > >>> >> > >>> >> Application Integration Division of Talend > >>> >> http://sberyozkin.blogspot.com > >>> >> > >>> > > >> > >> > > > > > > > > -- > > Sergey Beryozkin > > > > Application Integration Division of Talend > > http://sberyozkin.blogspot.com > > >
