If you are trying to do the authentication in JBoss AS, you can use PicketBox Api.

http://community.jboss.org/wiki/PicketBoxOverview

Hi Sergey - I have worked on some of the similar areas you are looking at here in our Native stack so have been interested to see your comments here.

Looking at your comments regarding the changes needed in CXF it looks like you are along the same lines I would consider, essentially I came to the same conclusion that the UsernameTokenProcessor within WSS4J is making an unsuitable assumption that you can obtain a users password.

Regarding how all of this would fit with the application server there are a couple of other things to consider, when integrating with the application server we are really looking to pass as much back to the application server provided containers as possible and not just have an independent authentication / authorization  process within the web services stack.

The approach of having two interceptors (one for authentication and one for authorization) is probably the biggest part of this problem already solved.

Where this becomes really apparent is where endpoints are deployed as EJB3 session beans, in this case the container can already be configured to perform authentication and authorization - as a deployed session bean can potentially be called from multiple different clients it makes sense for the authorization checks to remain with the bean.

A second requirement would be related to endpoints deployed as POJOs - although these do not have any container security before the invocation there is still the potential that the implementations will call other secured resources so any identity would need to be propagated for these calls.

The point of these two comments really is to highlight that this is not just a case of obtaining a Subject from whatever app server you are running in but actually associating the users identity with the request so that is propagates for further calls within the application server.  Using the APIs suggested from Anil should help with this so this is just something to keep in mind.

A final feature related to this that I know there is user demand for would be the ability to annotate the POJO endpoints with the same role annotations as used on EJB3 sesstion beans - we were unable to do this for our Native implementation of this as we had to support JAX-RPC as well as JAX-WS but as this would be JAX-WS only this could be an option and may help simplify the role configuration.

Thanks Darran and Anil for the involvement in this thread.

The approach of having two interceptors (one for authentication and one for authorization) is probably the biggest part of this problem already solved.

+1

Where this becomes really apparent is where endpoints are deployed as EJB3 session beans, in this case the container can already be configured to perform authentication and authorization - as a deployed session bean can potentially be called from multiple different clients it makes sense for the authorization checks to remain with the bean.

 

A second requirement would be related to endpoints deployed as POJOs - although these do not have any container security before the invocation there is still the potential that the implementations will call other secured resources so any identity would need to be propagated for these calls.

I think I've mentioned this to Sergey offline before, but the comments above better clarify the concept, thanks Darran.

A final feature related to this that I know there is user demand for would be the ability to annotate the POJO endpoints with the same role annotations as used on EJB3 sesstion beans - we were unable to do this for our Native implementation of this as we had to support JAX-RPC as well as JAX-WS but as this would be JAX-WS only this could be an option and may help simplify the role configuration.

Definitely a good idea, that could also simplify the user experience. JAX-RPC endpoints are not going to be deployed using the CXF impl, so it's actually JAX-WS only. We might want to think about a proper roles' configuration with a xml descriptor too later, but the annotation solution is probably the ideal one for the first implementation.

I see. Perhaps in some cases no authorization will be required, so just dropping an authorization interceptor will satisfy such requirements.

Yes this is where I think your two interceptor approach will help as it gives you the option of dropping the authorization one when not required.

Sure. I saw the following code line in the JBoss Native :

 

> securityAdaptor.pushSubjectContext(subject, principal, credential);

 

this is probably to do with what you explained above.

Yes that line is where we push the subject onto the ThreadLocal for the request so it is ready for further checks for subsequent calls.

Following the existing code will probably help you get something up and running but do keep in mind that it was written at a time the WS stack needed to support JBoss AS 4, 5 and 6 so a final switch to the APIs recommended by Anil would be required at some point.

Sergey,

thanks a lot for the patch. I'm going to give it a try locally and let you know (hopefully by the end of this week, otherwise next week).

Sergey,

I've tried the patch, very good. I agree the interceptor will eventually be moved out of the testsuite and to the src/main. Thank you for the contribution, really appreciated.

Hello,

have you figured our a solution for policy-first cases? I'm currently testing with jbossws-cxf 3.4 and it seems that when the policy interceptor analyzes the policy it puts the PolicyBasedWSS4JInInterceptor first in the chain, which makes the SubjectCreatingInterceptor useless.

I'm currently playing around with the WSSecurityPolicyLoader, in order to remove the PolicyBasedWSS4JInInterceptor interceptor and add a new one that would be a mix between the PolicyBasedWSS4JInInterceptor and SubjectCreatingInterceptor, but it seems a bit over-complicated.

Thanks,

Riccardo.

Thanks a lot!!

It did help, although not 100%. With the class you have suggested, I then get a caller unauthorized exception in the ejb security interceptors.

So, instead of that example, I've tried with the org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingInterceptor pulled from the jbossws-cxf integration libs, and it worked perfectly. In the other case, I believe, the subject or the security context are not propagated to the ejb security interceptors (the call "secAdaptorFactory.newSecurityAdapter().pushSubjectContext(subject, principal, password)" in the SubjectCreatingInterceptor).

There is still a thing that I'm not getting though: I've been playing both with UsernameToken auth and SAML token auth using the PicketLink trust project. In case of UsernameTokenAuth the login modules get called when the SubjectCreatingInterceptor calls the validate on the AuthenticationManager, which is during the interceptor message handling.

Instead, the SAML handler only creates the correct credentials and the validation (login) is invoked when the call hits the ejb security interceptor. The SAML handler does have some code that propagates the context (which in the end uses the

SecurityContextAssociation from JBoss security spi to do it).

This let's me think that, maybe, by just propagating the security context in the SimpleSubjectCreatingInterceptor from the example you gave, and therefore avoid the call to the AuthenticationManager, the credential validation would be triggered directly in the ejb security interceptors. Is this the correct interpretation? I haven't tried it out, as the SubjectCreatingInterceptor just works, but I'm still curious .

Thanks a lot in any case, as this avoided having to override the WSSecurityPolicy loader and create a mix between SubjectCreatingInterceptor and the PolicyBasedWSS4JInInterceptor, which I already tried, was working, but was also very, very ugly.

Riccardo.