Hi Taariq,
I have built an example for Talend Integration Factory that could be
quite near to what you search.
It secures a camel-cxf endpoint using spring security with role
annotations on the methods.
https://github.com/Talend/tif/tree/master/examples/spring-security
Basically you simply do not configure the authentication / authorization
in CXF and simply let spring security do it all.
So you use a DelegatingFilterProxy to intercept any request and let
spring do the authentication on it.
In your applicationcontext you define a <http> config element for spring
security.
On your impl class you use annotations like @RolesAllowed("ROLE_USER")
to do the authorization. As I define the service impl as
a spring bean these will be evaluated.
My example does not use ldap but as this config is only spring security
specific you might already have that.
Christian
Am 03.02.2012 06:45, schrieb Taariq Levack:
Hi
I have an existing web app using Spring Security and LDAP for
authentication and authorization.
Now we want some web services to be secured using UsernameToken and SSL.
I also want it to reuse the existing spring method level security, this
user's role cannot use commit() for instance, this seems easy enough with
the SecureAnnotationsInterceptor.
I've also noticed in the new CXF that the password must be supplied to be
evaluated, rather than it being provided
for authentication.
Now I can look up the password in LDAP, but aside from it not being
plaintext like the web service user,
it doesn't perform a login on LDAP of course and we'd like that history of
logins and everything else LDAP provides.
There's a project called
cxf-spring-security<http://code.google.com/p/cxf-spring-security/>which
hasn't been touched for a long time, I don't know if it's been
integrated
into CXF yet or will be.
The CXF security docs[1] say you can use a custom
"AbstractUsernameTokenInterceptor" and postpost the validation of the
username token with "ws-security.ut.no-callbacks" and then do the custom
authentication and Subject creation, but this class no longer exists, at
least not in trunk nor the 2.4.4 release I'm using at the moment. I do have
wss4j in the pom too.
I also see the JAASLoginInterceptor in the docs but I'm using the
LdapAuthenticationProvider and not a JAAS provider so I don't think that's
relevant yet, but correct me if I'm wrong please.
So to sum up I can use the callback no problem, but I don't see how I'm
supposed to perform login yet.
And once authenticated, I need the security context populated so that
Spring can do method level security, but maybe here I'm misunderstanding
and CXF is going to do this using SimpleAuthorizingInterceptor, which is
populated instead from whatever SpringSecurity returns after authentication.
[1] http://cxf.apache.org/docs/security.html
Thanks in advance,
Taariq
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
Talend Application Integration Division http://www.talend.com
