Re: basic authentication with cxf-bc consumer

Tue, 30 Mar 2010 03:57:04 -0700 

Hi,
My comment inline.
On 2010-3-30, at 下午6:09, will.mad wrote:


Hi,
My ESB exposes some web services endpoint using a cxf-bc consumer component. I would like to add basic authentication in order to force client applications calling my web services to provide a username/password. I tried to configure my cxf component by specifing an cxf bus configuration but it has no effect. 

Here is my configuration :

xbean.xml for cxf-bc consumer :
<cxfbc:consumer wsdl="classpath:wsdl/provider/AlarmWS.wsdl"
                     endpoint="AlarmWSPort"
                     service="alarm:AlarmWS"
                     targetEndpoint="AlarmCamelEndpoint"
                     targetService="alarm:AlarmCamelService"
                     busCfg="basic_auth.xml"
                     useJBIWrapper="false"/>

basic_auth.xml :
<http:conduit name="*.http-conduit">
<http:authorization>
<sec:UserName>firefly</sec:UserName>
<sec:Password>serenity</sec:Password>
</http:authorization>
</http:conduit>
Configure http conduit is only for client side, so it only works for cxf bc provider, but not consumer. If you want to enable server side(cxf bc consumer) basic auth, you need an interceptor to do it, the basic idea is extract AuthorizationPolicy from the incoming message and compare the username/password, but it's not so complicated, here is a good article[1] to show how to do it.
Another way(as Dan Kulp pointed out months ago in another thread) to configure server side basic auth is configure the jetty instance to handle the authentication, as Jetty has a "SecurityHandler" that can be configured into the handlers via CXF config. The SecurityHandler takes an Authenticator(they have a BasicAuthenticator) and a UserRealm Object (they have one for basic HashMap lookup things as well as a JDBC version) 



[1]http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/

Freeman

Configuration details :
Servicemix 3.3.1
cxf-bc-2010.01
JDK 1.6_07
This configuration has no effect and my services are still accessible without username/password. Is there something missing? Is it possible to add authentication to exposed web services (cxfbc- consumer). 

Regards
William




--
Freeman Fang
------------------------
Open Source SOA: http://fusesource.com

Reply via email to