7 Replies Latest reply on Oct 23, 2013 4:36 AM by radomir.kadlec

    Error in authorization with JBoss Fuse

    radomir.kadlec

      Hello (Freeman),

      you have resolved authorization error in Fuse ESB I have reported two years ago.

      But the same error is in the JBoss Fuse now.

       

      It is because the class mentioned in org.apache.servicemix.nmr.api.security.GroupPrincipal is entered as string "org.apache.karaf.jaas.modules.RolePrincipal" and therefore nobody noticed, that this class no more exists.

      The correct class name is org.apache.karaf.jaas.boot.principal.RolePrincipal now.

      Why can not be the class imported istead of entered as a string?

       

      The result:

      The DefaultAuthorizationEntry creates GroupPrincipal, but the LDAPLoginModule assignes RolePrincipals to authenticated users.

      And than the FlowRegistryImpl.dispatch fails in authorization process, because no matching principals are found.

       

      Am I the only one using authorization in Fuse ESB?

       

      Please correct this failure.

      Best regards

      Radomir Kadlec

        • 1. Re: Error in authorization with JBoss Fuse
          ffang

          Hi Radomir,

           

          Right, the Karaf RolePrincipal classname was changed between Karaf 2.2.x and Karaf 2.3.x.

           

          We don't use import class because we shouldn't introduce Karaf dependency into NMR.

           

          Besides simply change the default Karaf RolePrincipal classname, we should introduce a configurable way to specify the RolePrincipal classname when expose DefaultAuthorizationEntry as OSGi service.

           

          I will create an internal jira ticket to track it.

          Freeman

          • 2. Re: Error in authorization with JBoss Fuse
            ffang

            Hi Radomir,

             

            FYI, issue get fixed, JBoss FUSE 6.1 would have this fix.

             

            Freeman

            1 of 1 people found this helpful
            • 3. Re: Error in authorization with JBoss Fuse
              radomir.kadlec

              Thank you Freeman,

              do we use the authorization in a wrong way, that this error occur?

              Why don't other developpers have this error?

               

              We define the authorization of the message on the NMR in such a way:

               

              <osgi:service interface="org.apache.servicemix.nmr.api.security.AuthorizationEntry">
                  <bean class="org.apache.servicemix.nmr.core.security.DefaultAuthorizationEntry">
                      <property name="endpoint" value="IslAWebService.+" />
                      <property name="rank" value="0" />
                      <property name="roles" value="MyRole" />
                      <property name="type" value="Add" />
                  </bean>
              </osgi:service>

               

              Can we use another way to authorize the user from ws-security header with the called webservice?

               

              Thanks,

              Radomir

              • 4. Re: Error in authorization with JBoss Fuse
                ffang

                Hi,

                 

                I think rare people use NMR endpoint authorization as you do.

                 

                Anyway, if it's a CXF endpoint, you actually can use CXF endpoint authorization directly by adding an authorization interceptor, some configuration like

                 

                <blueprint

                    xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"

                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                    xmlns:jaxws="http://cxf.apache.org/blueprint/jaxws"

                    xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd

                                        http://cxf.apache.org/blueprint/jaxws http://cxf.apache.org/schemas/blueprint/jaxws.xsd">

                 

                   

                    <jaxws:endpoint id="helloWorld"

                        implementor="org.fusesource.examples.cxf.jaxws.security.HelloWorldImpl"

                        address="....">

                      

                        <jaxws:inInterceptors>

                            <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">

                                 <property name="properties">

                                     <map>

                                         <entry key="action" value="UsernameToken"/>

                                         <entry key="passwordType" value="PasswordText"/>

                                     </map>

                                 </property>

                             </bean>         

                            <ref component-id="authenticationInterceptor"/>

                        <ref component-id="authorizationInterceptor" />

                        </jaxws:inInterceptors>

                      

                        <jaxws:properties>

                            <entry key="ws-security.validate.token" value="false"/>

                        </jaxws:properties>

                    </jaxws:endpoint>

                 

                   

                    <bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">

                       <property name="contextName" value="karaf"/>

                       <property name="roleClassifier" value="RolePrincipal"/>

                       <property name="roleClassifierType" value="classname"/>

                    </bean>

                 

                     <!-- authorization against a fixed operation name to role name mapping -->

                    <bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">

                      <property name="methodRolesMap">

                    <map>

                      <entry key="sayHi" value="admin"/>

                    </map>

                      </property>

                    </bean>

                 

                </blueprint>

                 

                HTH

                Freeman

                1 of 1 people found this helpful
                • 5. Re: Error in authorization with JBoss Fuse
                  radomir.kadlec

                  Hi Freeman,

                  thank you, that looks good.

                  But I have a NullPointerException, when I call the service configured with the SimpleAuthorizingInterceptor.

                  The exception comes from AbstractAuthorizingInInterceptor.getTargetMethod because the service instance has no MethodDispatcher assigned in its map (I realized it in debugging).

                  What else must be configured to use the SimpleAuthorizingInterceptor?

                   

                  My services are configured as cxfbc:consumer:

                   

                  <cxfbc:consumer   
                      service="isl-a:IslAWebService"
                      endpoint="IslAWebServiceSoap"
                      locationURI="${ws-isl-a.esb.url}"
                      wsdl="${ws-isl-a.esb.wsdl}"
                      targetService="isl-a:IslAWebService"
                      targetEndpoint="IslAWebServiceProviderSoap"
                      schemaValidationEnabled="false"
                      delegateToJaas="true"
                      properties="#properties"
                      providedBus="#cxf"
                      mtomEnabled="true" 
                      >

                   

                  <util:map id="properties">
                       <entry key="ws-security.validate.token" value="false"/>
                  </util:map>

                   

                  <bean id="cxf" class="org.apache.cxf.bus.spring.SpringBus" />

                   

                  Thank you for any tips!

                  Radomir

                   

                   

                  • 6. Re: Error in authorization with JBoss Fuse
                    ffang

                    Hi,

                     

                    If you use cxf bc JBI endpoint, you have to use NMR authorization, the org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor

                    I showed you before only works for a "standalone" CXF endpoint.

                     

                    Freeman

                    • 7. Re: Error in authorization with JBoss Fuse
                      radomir.kadlec

                      Hi Freeman,

                      that is not good message for us, because the NMR authorization has 2 errors in current distributions (jboss-fuse-6.0.0.redhat-024 and apache-servicemix-4.5.2, we tested both):

                       

                      1. There is a problem with the principal class (RolePrincipal created for user, GroupPrincipal created in NMR configuration) as described before.

                      To solve this problem, we developed our LDAP login module, that adds FroupPrincipal for each RolePrincipal after authentization.

                       

                      2. When the NMR authorization fails (user is not authorized), the Servicemix http communication is broken.

                      The cxfbc:consumer returns the soap fault message as needed, but the http client (soupUI or another Servicemix) waits endless for finishing the http communication and fails with timeout exception.

                      Another soap-faults (for example message validation or user authentization) are received correct.

                      We have no solving for this second error and therefore we try to use authorization through cxf interceptor.

                       

                      In the older apache-servicemix-4.4.1-fuse-07-11 are no of this two errors.

                       

                      I see now, that the SimpleAuthorizingInterceptor is not assumed for using in JBI endpoint, where no reflection is used for assignig service operation to their implementation in service method.

                      So we have no solving for this situation more.

                       

                      Radomir