-
1. Re: use custom jaas login module
ffang Apr 12, 2011 11:47 PM (in response to amerlin)Hi,
Take a look at ServerPasswordCallback.java in cxf-ws-security-osgi example, currently it just hardcode the password like
if (pc.getIdentifer().equals("joe")) {
pc.setPassword("password");//here you can query real password for joe from your real jaas realm
}
However, you can easily adapt this example to read real password from your customer jaas login module.
By default servicemix(karaf underlying) use PropertiesLoginModule, the realm is saved in etc/users.properties, but you can use your customer(JDBC, LDAP etc) LoginModule also, more details please take a look at
http://karaf.apache.org/manual/2.1.99-SNAPSHOT/developers-guide/security-framework.html
Freeman
-
2. Re: use custom jaas login module
amerlin Apr 13, 2011 3:12 AM (in response to ffang)Hi Freeman,
Thanks for your answer but I still can't understand some things..
AFAIK Callbacks are used to get credentials and provide them to login module.. So in my case callback handlers should extract username and pass from wss username token structure in the soap header. I guess it is already should be implemented with interceptor, is it correct ?
You are saying that by default service mix is using etc/user.properties as user storage.
But in my case in this file there is no user "joe" with pass "password" and the example is running fine - I get answer from web service...I changed user/pass from joe/password to something else and it still is working fine. So my guess example app is not using any jaas login module(default or custom) and generally is not secured at all.
So my question how I can make it secure ? using default(karaf login module that using user.properties) or any custom login module. Where and what I should add in my config/whatever files to specify that example cxf-ws-security-osgi app is secured and secured by some(default or custom) login module ?
From doc you posted, as I understand to make my custom login module I need to create some file with content(of course I will need to change class name,etc..)
and put this file to deploy directory. Is it correct ?
But I can't find where and what I need to add to specify that some application ABC using jaas module myrealm(as it in exmple code)...
Thank you
-
3. Re: use custom jaas login module
ffang Apr 13, 2011 5:22 AM (in response to amerlin)Hi,
The Karaf login module are only applicable for the console, jmx, webconsole login.
The cxf-ws-security-osgi example here only demonstrate how to configure ws-security in OSGi container and it has nothing to do with the karaf login module.
However, what I mean is you can get real password and compared it with what you get from the callbackhandler(of course it's from the soap message security header) and so that you can combine the ws-security usernametoken with the user/password defined in your realm.
You need grasp the OSGi service like org.apache.karaf.jaas.config.JaasRealm which already exist in OSGi container, from this OSGi service you can get realName and javax.security.auth.login.AppConfigurationEntry which in turn you should be able to get the real password.
About how to grasp the OSGi service, we have discussed it a lot before.
You can do
option 1. through OSGi API directly.
option 2. in your spring-dm/blueprint endpoint configuration inject the OSGi service reference to your bean and then you can use it from your code.
I personally prefer to option2.
Freeman
-
4. Re: use custom jaas login module
ffang May 4, 2011 5:48 AM (in response to ffang)Hi,
A better solution is leverage cxf JAASLoginInterceptor directly,
so the major part in examples/cxf-ws-security-osgi/src/main/resources/META-INF/spring/beans.xml should be changed to
and you just need $FUSE_ESB/etc/users.properties to add name/password
joe=password
so that you can see authentication happen against user storage(user.properties in this case).
This just reuse default jaas configuration in karaf(PropertiesLoginModule) with JAAS LoginContext name "karaf".
Of course you can use your customer jaas login module, which described in , you just need specify for org.apache.cxf.interceptor.security.JAASLoginInterceptor accordingly.
Hope this helps.
http://karaf.apache.org/manual/2.1.99-SNAPSHOT/developers-guide/security-framework.html
Freeman