CXF+ACEGI

Willem2 wrote:

Hi Matt

I did not see any url in your mail below :(.
Could you send them again ?

Willem.
mattmadhavan wrote:
> Hello All,
> Please refer to this blog. Seems to be one of the most popular blog. Please
> look at the client code! (Test case).
>
> Any ideas? If some one has a complete ACEGI security solution and posts it
> it will be Awesome! Ray do you mind posting a complete sample. It will be
> greatly beneficial to everybody.
>
> Matt
>
>
> dkulp wrote:
>  
>> Ray,
>>
>> On Monday 17 September 2007, Ray Krueger wrote:
>>    
>>> The authorization and authentication concerns are addressed at the
>>> protocol layer first, and can then be extended into lower levels of
>>> the application via AOP and such. So, if you're interested in securing
>>> your application at that level, then CXF doesn't even really enter
>>> into the discussion. Meaning that you're going to put the Acegi filter
>>> out there, and configure it to protect whatever URLs your CXF services
>>> are published on. Acegi wouldn't know anything about CXF in that case.
>>>      
>> This currently works fine if you use the CXFServlet approach and deploy
>> your application as a war into some sort of Servlet container.
>>
>> However, if you do a J2SE standalone mode application, this is quite hard
>> to do right now and is something we should make a bit easier.  
>> Currently, you would need to grab the raw Jetty listeners, use the Jetty
>> API's to add the filters, etc....   (Note: this also applies if you want
>> to secure your decoupled destination for a ws-rm/ws-a interaction)  
>>
>> We probably should allow filters to be added via the spring configuration
>> for the destination.   That would simplify things quite a bit.
>>
>>    
>>> From there you can decide in your endpoints how you consider the
>>> 'Principal'. You could retrieve it from Acegi without it being part of
>>> WS-Security and keep it loose that way. Or you could find some means
>>> of integrating Acegi into a WS-Security provider for CXF somehow.
>>>      
>> This was the interceptor I mentioned before.   An interceptor after the
>> WS-Sec interceptors would have access to the stuff decoded from the
>> message.   The interceptor could create the principal object and pass
>> that into Acegi.
>>
>> Dan
>>
>>
>>    
>>> The application I am building will support both plain xml over http
>>> and soap over http. So in that case it makes sense for me to place
>>> security at the http layer, and avoid relying on something like
>>> WS-Security.
>>>
>>> On 9/17/07, Daniel Kulp <dkulp@apache.org> wrote:
>>>      
>>>> Interesting you should ask this.....    I first heard about ACEGI
>>>> last week in a different conversation and have just started to look
>>>> into it a bit.   I'd LOVE to have your input into this as to what
>>>> you think is needed or what you would consider good integration.
>>>>
>>>> Here are my thoughts so far:   (keep in mind, I had never heard of
>>>> ACEGI till last week so I could be completely off base)
>>>>
>>>> 1) If you deploy your app as a war using the spring webapp stuff and
>>>> setting up to use aop for your service, it should just work.  The
>>>> acegi filter should grab the basic-auth stuff, setup the security
>>>> context stuff it needs, and when we call invoke on the service, the
>>>> acegi stuff should grant/deny it.
>>>>
>>>> 2) Longer term, we could write an interceptor that grabs the
>>>> AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message
>>>> and fills in the acegi contexts with the details.    That really
>>>> wouldn't be a huge amount of work to do.
>>>>
>>>>
>>>> Dan
>>>>
>>>> On Thursday 13 September 2007, mattmadhavan wrote:
>>>>        
>>>>> Hello,
>>>>> Can some one point me to some docs on the CXF and ACEGI
>>>>> integration or CXF and security like authentication and
>>>>> authorization. Some sample app will even be great.
>>>>>
>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On
>>>>> the client side we need to set the which class handles the
>>>>> security on the Server side! But if I am using some other language
>>>>> for clients like C# it does n't seem to be the proper way!
>>>>>
>>>>> Any ideas will be greatly appreciated.
>>>>>
>>>>> Thanks
>>>>> Matt
>>>>>          
>>>> --
>>>> J. Daniel Kulp
>>>> Principal Engineer
>>>> IONA
>>>> P: 781-902-8727    C: 508-380-7194
>>>> daniel.kulp@iona.com
>>>> http://www.dankulp.com/blog
>>>>        
>>
>> --
>> J. Daniel Kulp
>> Principal Engineer
>> IONA
>> P: 781-902-8727    C: 508-380-7194
>> daniel.kulp@iona.com
>> http://www.dankulp.com/blog
>>
>>
>>    
>
>  

I'm yet another person very interested in securing my services using Acegi as we will be using it as our primary method of authentication over all of our service transport mechanisms (RMI, HTTP, etc.).

If someone has a soup-to-nuts example implementation that would be great to see!

Regards,
Kaleb


"Ray Krueger" ---09/21/2007 04:51:44 PM---Yeah, that looks great. If you want to do authentication at the

From:	"Ray Krueger" <raykrueger@...>
To:	cxf-user@...
Date:	09/21/2007 04:51 PM
Subject:	Re: CXF+ACEGI

Juan José Vázquez Delgado wrote:

Hi all,

I love CXF, but IMHO the ws-security module is not good enough solved. I
suspect the responsible is wss4j wich is not too much powerful.

I´m thinking in using the glassfish XWSS (https://xwss.dev.java.net/) in a
similar way to Spring Web Services (
http://static.springframework.org/spring-ws/site/). With XWSS you can
setting handlers and validators like for instance an Acegi Handler.

BR,

Juanjo.

On 9/21/07, Eric Miles <eric.miles@kronos.com> wrote:
>
> We started some discussion the other day about CXF+Acegi out there the
> other day, but hadn't seen anything since.  Any discussion after I sent
> the source code or my findings with integrating the two?
>
> On Tue, 2007-09-18 at 11:18 -0400, Eric Miles wrote:
> > Actually, here is the code.  Attached is the WSS4J callback class and
> > the CXF interceptor that uses the Acegi authentication manager for
> > authentication.
> >
> > Pretty simple and straight forward.  If you look at the callback
> > handler, you can see my comment regarding the WSS4J engine.  I do have
> > one concern in that this solution might not have worked for a digest UT.
> > I'll have to revisit as it has been several months since we first looked
> > at it.
> >
> > However, this is a spring board for any discussions. (Spring pun not
> > intended)
> >
> > Eric
> >
> >
> > On Tue, 2007-09-18 at 08:10 -0700, mattmadhavan wrote:
> > > Eric,
> > > Do you mind posting a complete example. May be we can have a very
> > > constructive discussions based on that.
> > >
> > > Thanks
> > > Matt
> > >
> > >
> > >
> > >
> > > BigEHokie wrote:
> > > >
> > > > Dan,
> > > >
> > > > What sort of solution are you looking for?  We are using an
> > > > Acegi/Spring/CXF implementation at our company where we are using
> > > > WS-Security and Acegi for authentication and AOP/Acegi for
> > > > authorization.  We could be interested in contributing.
> > > >
> > > > Thanks,
> > > > Eric
> > > >
> > > >
> > > > On Tue, 2007-09-18 at 00:15 +0200, Dan Diephouse wrote:
> > > >> And I want somebody to contribute a cleaner solution :-D
> > > >>
> > > >> I know there is a lot of stuff we could do with Spring
> Security/Acegi
> > > >> that would be super cool. It'd be a real low barrier way to
> contribute
> > > >> some stuff if anyone is interested.
> > > >>
> > > >> Cheers,
> > > >> - Dan
> > > >>
> > > >> mattmadhavan wrote:
> > > >> > Hi Ray,
> > > >> > No I do not want the client side to tell the server! Thats my
> point.
> > > >> Some
> > > >> > good blogs I have seen, do that! Where the client 'tells' which
> handler
> > > >> to
> > > >> > use!
> > > >> >
> > > >> > I want a cleaner ACEGI+ XFIRE solution!
> > > >> >
> > > >> > Thanks
> > > >> > Matt
> > > >> >
> > > >> >
> > > >> >
> > > >> > Ray Krueger wrote:
> > > >> >
> > > >> > > You want the client to tell the server how to do security? That
> > > >> sounds
> > > >> > > crazy :)
> > > >> > >
> > > >> > > Your client side should either be doing http based security or
> > > >> > > ws-security. That doesn't have anything to do with Acegi at
> that
> > > >> > > point.
> > > >> > >
> > > >> > > On 9/14/07, Zarar Siddiqi <zarars@gmail.com> wrote:
> > > >> > >
> > > >> > > > I'm trying to understand what you're saying but am having
> > > >> difficulty. But
> > > >> > > > here goes:
> > > >> > > >
> > > >> > > >
> > > >> > > > > Can some one point me to some docs on the CXF and ACEGI
> > > >> integration
> > > >> > > > > or CXF and security like authentication and authorization.
> > > >> > > > >
> > > >> > > > I use Acegi for authorization purposes only. IMHO it doesn't
> really
> > > >> make
> > > >> > > > sense for authentication (WS-Security can do that).  So I use
> the
> > > >> > > > MethodSecurityInterceptor and BeanNameAutoProxyCreator to
> manage
> > > >> calls to
> > > >> > > > my
> > > >> > > > service level methods.  The Acegi docs can help you there,
> the only
> > > >> > > > difference I think is that you have to set the authentication
> token
> > > >> > > > yourself, e.g.:
> > > >> > > >
> > > >> > > > UsernamePasswordAuthenticationToken token = new
> > > >> > > > UsernamePasswordAuthenticationToken(
> > > >> > > >    user.getUsername(), user.getPassword(),
> user.getAuthorities());
> > > >> > > > // Populate Acegi Security Context
> > > >> > > > SecurityContextHolder.getContext().setAuthentication(token);
> > > >> > > >
> > > >> > > >
> > > >> > > > > I found some blogs on the CXF+ACEGI, but it is Java
> centric. On
> > > >> the
> > > >> > > > >
> > > >> > > > client
> > > >> > > >
> > > >> > > > > side
> > > >> > > > > we need to set the which class handles the security on the
> Server
> > > >> side!
> > > >> > > > > But if
> > > >> > > > > I am using some other language for clients like C# it
> doesn't
> > > >> seem to
> > > >> > > > >
> > > >> > > > be
> > > >> > > >
> > > >> > > > > the proper way!
> > > >> > > > >
> > > >> > > > You can pass the class name which handles security to the
> server
> > > >> (crazy
> > > >> > > > thought I think!) using a header element and then parse it
> using
> > > >> CXF
> > > >> > > > interceptors.
> > > >> > > >
> > > >> > > > Zarar
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > mattmadhavan wrote:
> > > >> > > >
> > > >> > > > > Any Help will be appreciated!
> > > >> > > > >
> > > >> > > > >
> > > >> > > > >
> > > >> > > > > mattmadhavan wrote:
> > > >> > > > >
> > > >> > > > > > Hello,
> > > >> > > > > > Can some one point me to some docs on the CXF and ACEGI
> > > >> integration or
> > > >> > > > > > CXF and security like authentication and authorization.
> Some
> > > >> sample
> > > >> > > > > >
> > > >> > > > app
> > > >> > > >
> > > >> > > > > > will even be great.
> > > >> > > > > >
> > > >> > > > > > I found some blogs on the CXF+ACEGI, but it is Java
> centric. On
> > > >> the
> > > >> > > > > > client side we need to set the which class handles the
> security
> > > >> on the
> > > >> > > > > > Server side! But if I am using some other language for
> clients
> > > >> like C#
> > > >> > > > > >
> > > >> > > > it
> > > >> > > >
> > > >> > > > > > does n't seem to be the proper way!
> > > >> > > > > >
> > > >> > > > > > Any ideas will be greatly appreciated.
> > > >> > > > > >
> > > >> > > > > > Thanks
> > > >> > > > > > Matt
> > > >> > > > > >
> > > >> > > > > >
> > > >> > > > --
> > > >> > > > View this message in context:
> > > >> > > > http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
> > > >> > > > Sent from the cxf-user mailing list archive at Nabble.com.
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> >
> > > >> >
> > > >>
> > > >>
> > > >> --
> > > >> Dan Diephouse
> > > >> MuleSource
> > > >> http://mulesource.com | http://netzooid.com/blog
> > > >
> > > >
> > >
>