Hi
I try to accomplish something I thought is quite a standard use case. I was
probably wrong since I did not found a complete example for it.
Goal: Build a secured CXF/SpringBoot webservice that calls other secured
webservice(s).
Setup: SpringBoot (1.5.x), CXF (3.1.x), WSS4J (2.1.x), Spring Security (4.2.x)
**What I want to accomplish**
- My CXF/SpringBoot webservice must authenticate requests against LDAP.
=> I have a working Spring Security setup with AuthenticationManager,
UserDetailsService etc.
=> This setup depends on the Spring SecurityContext.
- My CXF/SpringBoot webservice must accept WSS Username/Password (Plaintext).
=> I use a combination of SAAJInInterceptor and WSS4JInInterceptor (no
password callback!) to create a UsernameToken from the WSS header.
=> I use a custom "ws-security.ut.validator" to create a Spring
SecurityContext from the UsernameToken and authenticate the user against LDAP.
- My CXF/SpringBoot webservice must call a downstream webservice that accepts a
proprietary token type.
=> This requires another CXF (client) endpoint configuration.
=> I use a custom out-interceptor that extends AbstractTokenInterceptor to
add the proprietary token to the request.
=> However, currently the username is hardcoded because I don't know where to
get it.
Question: In my Spring SecurityContext I have the authenticated user. But how
can I "hand over" the username to the TokenInterceptor?
Question: Let's assume I do two downstream calls to finally create the response
for the initial service request. Are these calls individual "contexts" from a
CXF point of view or is there some kind of "management" around that holds all
data of all the calls?
Thanks
Stephan
