|

»

ws-sec and component Authorization

View: New views

3 Messages — Rating Filter: Alert me

	ws-sec and component Authorization by Tomas Blohm :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, I've implemented different approaches to secure my webservice with LDAP authorization and everyone fails in some way. I implemented ws-sec and that worked until I tried to combine it with component authorization. Since I want to implement role behavior this is necessary. Is it possible to combine ws-sec and component authorization? This is my config: <?xml version="1.0" encoding="UTF-8"?> <mule xmlns="http://www.mulesource.org/schema/mule/core/2.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:http="http://www.mulesource.org/schema/mule/http/2.2" xmlns:https="http://www.mulesource.org/schema/mule/https/2.2" xmlns:cxf="http://www.mulesource.org/schema/mule/cxf/2.2" xmlns:spring-security="http://www.mulesource.org/schema/mule/spring-security/2.2" xmlns:vm="http://www.mulesource.org/schema/mule/vm/2.2" xmlns:mule-ss="http://www.mulesource.org/schema/mule/spring-security/2.2" xmlns:ss="http://www.springframework.org/schema/security" xmlns:spring="http://www.springframework.org/schema/beans" xmlns:acegi="http://www.mulesource.org/schema/mule/acegi/2.2" xsi:schemaLocation=" http://www.mulesource.org/schema/mule/http/2.2 http://www.mulesource.org/schema/mule/http/2.2/mule-http.xsd http://www.mulesource.org/schema/mule/https/2.2 http://www.mulesource.org/schema/mule/https/2.2/mule-https.xsd http://www.mulesource.org/schema/mule/cxf/2.2 http://www.mulesource.org/schema/mule/cxf/2.2/mule-cxf.xsd http://www.mulesource.org/schema/mule/core/2.2 http://www.mulesource.org/schema/mule/core/2.2/mule.xsd http://www.mulesource.org/schema/mule/spring-security/2.2 http://www.mulesource.org/schema/mule/spring-security/2.2/mule-spring-security.xsd http://www.mulesource.org/schema/mule/vm/2.2 http://www.mulesource.org/schema/mule/vm/2.2/mule-vm.xsd http://www.mulesource.org/schema/mule/spring-security/2.2 http://www.mulesource.org/schema/mule/spring-security/2.2/mule-spring-security.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.mulesource.org/schema/mule/acegi/2.2 http://www.mulesource.org/schema/mule/acegi/2.2/mule-acegi.xsd "> <spring:bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> <spring:property name="providers"> <spring:list> <spring:ref bean="authenticationProvider"/> </spring:list> </spring:property> </spring:bean> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mule="http://www.mulesource.org/schema/mule/core/2.2" xmlns:acegi="http://www.mulesource.org/schema/mule/acegi/2.2"> <bean id="initialDirContextFactory" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <constructor-arg value="ldap://172.16.71.50:389/o=SE" /> <property name="userDn"> <value>cn=admin,o=Pulsen</value> </property> <property name="password"> <value>xxxxxx</value> </property> </bean> <bean id="authenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <property name="userDnPatterns"> <list> <value>cn={0},ou=Mule</value> </list> </property> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg> <ref local="initialDirContextFactory" /> </constructor-arg> <constructor-arg> <value>ou=groups,ou=Mule</value> </constructor-arg> <property name="groupRoleAttribute"> <value>cn</value> </property> <property name="searchSubtree"> <value>true</value> </property> <property name="rolePrefix"> <value>ROLE_</value> </property> <property name="convertToUpperCase"> <value>true</value> </property> </bean> </constructor-arg> </bean> <bean id="myComponentSecurity" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="objectDefinitionSource"> <value> com.pulsen.cxf.services.HelloWorldImpl.sayHi=ROLE_READERS com.pulsen.cxf.services.HelloWorldImpl.sayHi2=ROLE_WRITERS </value> </property> </bean> <bean id="accessDecisionManager" class='org.springframework.security.vote.AffirmativeBased'> <property name="decisionVoters"> <list> <ref bean="roleVoter"/> </list> </property> </bean> <bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator"> <property name="interceptorNames"> <list> <value>myComponentSecurity</value> </list> </property> <property name="beanNames"> <list> <value>helloWorldService</value> </list> </property> <property name='proxyTargetClass' value="true"/> </bean> <bean id="roleVoter" class="org.springframework.security.vote.RoleVoter"/> <cxf:security-manager-callback id="serverCallback" securityManager-ref="_muleSecurityManager"/> </beans> <mule-ss:security-manager id="_muleSecurityManager"> <mule-ss:delegate-security-provider name="spring-security-ldap" delegate-ref="authenticationManager" /> </mule-ss:security-manager> <https:connector name="httpConnector"> <https:tls-client path="keystore/clientkeystore" storePassword="xdr537" /> <https:tls-key-store path="keystore/portal.keystore" keyPassword="changeit" storePassword="changeit" /> <https:tls-server path="keystore/truststore" storePassword="changeit" /> </https:connector> <model name="CxfExample"> <service name="helloService"> <inbound> <cxf:inbound-endpoint address="https://localhost:63081/hello" synchronous="true"> <!-- mule-ss:http-security-filter realm="mule-realm" /> --> <cxf:inInterceptors> <spring:bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" /> <spring:bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <spring:constructor-arg> <spring:map> <spring:entry key="action" value="UsernameToken" /> <spring:entry key="passwordCallbackRef" value-ref="serverCallback" /> <spring:entry key="passwordType" value="PasswordText" /> </spring:map> </spring:constructor-arg> </spring:bean> </cxf:inInterceptors> </cxf:inbound-endpoint> </inbound> <component> <!-- singleton-object class="com.pulsen.cxf.services.HelloWorldImpl"/> --> <spring-object bean="helloWorldService" /> </component> </service> </model> <spring:bean id="helloWorldService" class="com.pulsen.cxf.services.HelloWorldImpl" /> </mule> The exception I get looks like this: ERROR 2009-10-29 11:51:56,884 [httpConnector.receiver.2] org.mule.service.DefaultServiceExceptionStrategy: ****************************************************************************** Message : Component that caused exception is: SedaService{helloService}. Message payload is of type: String Type : org.mule.api.service.ServiceException Code : MULE_ERROR--2 JavaDoc : http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/service/ServiceException.html Payload : Tomas **************************************************************************** Exception stack is: 1. An Authentication object was not found in the SecurityContext (org.springframework.security.AuthenticationCredentialsNotFoundException) org.springframework.security.intercept.AbstractSecurityInterceptor:342 (null) 2. Component that caused exception is: SedaService{helloService}. Message payload is of type: String (org.mule.api.service.ServiceException) org.mule.component.DefaultLifecycleAdapter:216 (http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/service/ServiceException.html) **************************************************************************** Root Exception stack trace: org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext at org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342) at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254) at org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:635) at com.pulsen.cxf.services.HelloWorldImpl$$EnhancerByCGLIB$$a7766c41.sayHi(<generated>) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.mule.model.resolvers.AbstractEntryPointResolver.invokeMethod(AbstractEntryPointResolver.java:154) at org.mule.model.resolvers.MethodHeaderPropertyEntryPointResolver.invoke(MethodHeaderPropertyEntryPointResolver.java:105) at org.mule.model.resolvers.DefaultEntryPointResolverSet.invoke(DefaultEntryPointResolverSet.java:50) at org.mule.component.DefaultLifecycleAdapter.invoke(DefaultLifecycleAdapter.java:205) at org.mule.component.AbstractJavaComponent.invokeComponentInstance(AbstractJavaComponent.java:83) at org.mule.component.AbstractJavaComponent.doInvoke(AbstractJavaComponent.java:74) at org.mule.component.AbstractComponent.invokeInternal(AbstractComponent.java:133) at org.mule.component.AbstractComponent.invoke(AbstractComponent.java:161) at org.mule.service.AbstractService.invokeComponent(AbstractService.java:929) at org.mule.model.seda.SedaService.doSend(SedaService.java:257) at org.mule.service.AbstractService.sendEvent(AbstractService.java:500) at org.mule.DefaultMuleSession.sendEvent(DefaultMuleSession.java:354) at org.mule.routing.inbound.DefaultInboundRouterCollection.send(DefaultInboundRouterCollection.java:228) at org.mule.routing.inbound.DefaultInboundRouterCollection.route(DefaultInboundRouterCollection.java:188) at org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:364) at org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252) at org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:175) at org.mule.transport.cxf.MuleInvoker.invoke(MuleInvoker.java:108) at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:56) at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37) at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:92) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:78) at org.mule.transport.cxf.CxfServiceComponent.sendToDestination(CxfServiceComponent.java:284) at org.mule.transport.cxf.CxfServiceComponent.onCall(CxfServiceComponent.java:112) at org.mule.model.resolvers.CallableEntryPointResolver.invoke(CallableEntryPointResolver.java:52) at org.mule.model.resolvers.DefaultEntryPointResolverSet.invoke(DefaultEntryPointResolverSet.java:50) at org.mule.component.DefaultLifecycleAdapter.invoke(DefaultLifecycleAdapter.java:205) at org.mule.component.AbstractJavaComponent.invokeComponentInstance(AbstractJavaComponent.java:83) at org.mule.component.AbstractJavaComponent.doInvoke(AbstractJavaComponent.java:74) at org.mule.component.AbstractComponent.invokeInternal(AbstractComponent.java:133) at org.mule.component.AbstractComponent.invoke(AbstractComponent.java:161) at org.mule.service.AbstractService.invokeComponent(AbstractService.java:929) at org.mule.model.seda.SedaService.doSend(SedaService.java:257) at org.mule.service.AbstractService.sendEvent(AbstractService.java:500) at org.mule.DefaultMuleSession.sendEvent(DefaultMuleSession.java:354) at org.mule.routing.inbound.DefaultInboundRouterCollection.send(DefaultInboundRouterCollection.java:228) at org.mule.routing.inbound.DefaultInboundRouterCollection.route(DefaultInboundRouterCollection.java:188) at org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:364) at org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252) at org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:193) at org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMes... **************************************************************************** The ldap authentication works if I remove the component authorization. If I change the model to not use ws-sec: <service name="helloService"> <inbound> <cxf:inbound-endpoint address="https://localhost:63081/hello" synchronous="true"> <mule-ss:http-security-filter realm="mule-realm" /> <spring-object bean="helloWorldService" /> </component> </service> Then everything works, different users can request different methods depending on group membership. But I still get errors in the log: ERROR 2009-10-29 11:46:40,539 [httpConnector.receiver.2] org.mule.config.i18n.CoreMessages: Failed to find message for id 134 in resource bundle META-INF.services.org.mule.i18n.core-messages WARN 2009-10-29 11:46:40,539 [httpConnector.receiver.2] org.mule.transport.http.HttpsMessageReceiver: Request was made but was not authenticated: Registered authentication is set to org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter but there was no security context on the session. . Message payload is of type: ContentLengthInputStream org.mule.api.security.UnauthorisedException: Registered authentication is set to org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter but there was no security context on the session. . Message payload is of type: ContentLengthInputStream at org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter.authenticateInbound(HttpBasicAuthenticationFilter.java:164) at org.mule.security.AbstractEndpointSecurityFilter.authenticate(AbstractEndpointSecurityFilter.java:181) at org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:335) at org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252) at org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:193) at org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:273) at org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:227) at org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:190) at org.mule.work.WorkerContext.run(WorkerContext.java:310) at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061) at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575) at java.lang.Thread.run(Thread.java:595) ERROR 2009-10-29 11:46:40,554 [httpConnector.receiver.2] org.mule.DefaultExceptionStrategy: **************************************************************************** Message : Registered authentication is set to org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter but there was no security context on the session. . Message payload is of type: ContentLengthInputStream Type : org.mule.api.security.UnauthorisedException Code : MULE_ERROR-54999 JavaDoc : http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/security/UnauthorisedException.html Payload : org.apache.commons.httpclient.ContentLengthInputStream@ac2d3c **************************************************************************** Exception stack is: 1. Registered authentication is set to org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter but there was no security context on the session. . Message payload is of type: ContentLengthInputStream (org.mule.api.security.UnauthorisedException) org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter:164 (http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/security/UnauthorisedException.html) **************************************************************************** Root Exception stack trace: org.mule.api.security.UnauthorisedException: Registered authentication is set to org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter but there was no security context on the session. . Message payload is of type: ContentLengthInputStream at org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter.authenticateInbound(HttpBasicAuthenticationFilter.java:164) at org.mule.security.AbstractEndpointSecurityFilter.authenticate(AbstractEndpointSecurityFilter.java:181) at org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:335) at org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252) at org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:193) at org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:273) at org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:227) at org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:190) at org.mule.work.WorkerContext.run(WorkerContext.java:310) at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061) at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575) at java.lang.Thread.run(Thread.java:595) ****************************************************************************** Any input on this is appreciated!! /Tomas Blohm
	Re: ws-sec and component Authorization by Mike Carr-6 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I had a quick look at this recently because a customer would like to use a similar setup. My impression is that the org.mule.transport.cxf.supportMuleSecurityManagerCallbackHandler is doing the authentication but not setting the SecurityContext on the session like the http-basis-authentication filter is doing: SecurityContext context = getSecurityManager().createSecurityContext(authResult); context.setAuthentication(authResult); event.getSession().setSecurityContext(context); Probably because the interceptor does not have access to the event (it's a CXF and not a Mule interceptor). I am considering to create my own wss-authentication filter based on the http one. --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email
	Re: ws-sec and component Authorization by Tomas Blohm :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message This seems like quite big limitation for ws-sec. The job is only halfway done. I think I might file a JIRA for this. What about the other error where everything worked but still print errors to the log. sep mahdavi wrote: I had a quick look at this recently because a customer would like to use a similar setup. My impression is that the org.mule.transport.cxf.supportMuleSecurityManagerCallbackHandler is doing the authentication but not setting the SecurityContext on the session like the http-basis-authentication filter is doing: SecurityContext context = getSecurityManager().createSecurityContext(authResult); context.setAuthentication(authResult); event.getSession().setSecurityContext(context); Probably because the interceptor does not have access to the event (it's a CXF and not a Mule interceptor). I am considering to create my own wss-authentication filter based on the http one. --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email