4 Replies Latest reply on May 4, 2011 5:48 AM by Freeman(Yue) Fang

    use custom jaas login module

    a b Newbie

      Hello,

      Let's say I want to secure cxf-ws-security-osgi from examples dir with wss username token and check credentials with my custom jaas login module(or some existing ldap login module).

      Btw is cxf-ws-security-osgi example checks user/pass against some user storage ?

      Can someone point me in the needed direction ?

      Can't find anyting useful in the doc..

       

      Thanks

        • 1. Re: use custom jaas login module
          Freeman(Yue) Fang Master

          Hi,

           

          Take a look at ServerPasswordCallback.java in cxf-ws-security-osgi example, currently it just hardcode the password like

                if (pc.getIdentifer().equals("joe")) {

                      pc.setPassword("password");//here you can query real password for joe from your real jaas realm

                }

          However, you can easily adapt this example to read real password from your customer jaas login module.

           

          By default servicemix(karaf underlying) use PropertiesLoginModule, the realm is saved in etc/users.properties, but you can use your customer(JDBC, LDAP etc) LoginModule also, more details please take a look at

          http://karaf.apache.org/manual/2.1.99-SNAPSHOT/developers-guide/security-framework.html

           

          Freeman

          • 2. Re: use custom jaas login module
            a b Newbie

            Hi Freeman,

            Thanks for your answer but I still can't understand some things..

            AFAIK Callbacks are used to get credentials and provide them to login module.. So in my case callback handlers should extract username and pass from wss username token structure in the soap header. I guess it is already should be implemented with interceptor, is it correct ?

            You are saying that by default service mix is using etc/user.properties as user storage.

            But in my case in this file there is no user "joe" with pass "password" and the example is running fine - I get answer from web service...I changed user/pass from joe/password to something else and it still is working fine. So my guess example app is not using any jaas login module(default or custom) and generally is not secured at all.

            So my question how I can make it secure ? using default(karaf login module that using user.properties) or any custom login module. Where and what I should add in my config/whatever files to specify that example cxf-ws-security-osgi app is secured and secured by some(default or custom) login module ?

             

            From doc you posted, as I understand to make my custom login module I need to create some file with content(of course I will need to change class name,etc..)

             

            and put this file to deploy directory. Is it correct ?

            But I can't find where and what I need to add to specify that some application ABC using jaas module myrealm(as it in exmple code)...

             

            Thank you

            • 3. Re: use custom jaas login module
              Freeman(Yue) Fang Master

              Hi,

               

              The Karaf login module are only applicable for the console, jmx, webconsole login.

              The cxf-ws-security-osgi example here only demonstrate how to configure ws-security in OSGi container and it has nothing to do with the karaf login module.

               

              However, what I mean is you can get real password and compared it with what you get from the callbackhandler(of course it's from the soap message security header) and so that you can combine the ws-security usernametoken with the user/password defined in your realm.

               

              You need grasp the OSGi service like org.apache.karaf.jaas.config.JaasRealm which already exist in OSGi container, from this OSGi service you can get realName and javax.security.auth.login.AppConfigurationEntry which in turn you should be able to get the real password.

               

              About how to grasp the OSGi service, we have discussed it a lot before.

               

              You can do

              option 1. through OSGi API directly.

              option 2. in your spring-dm/blueprint endpoint configuration inject the OSGi service reference to your bean and then you can use it from your code.

               

              I personally prefer to option2.

               

              Freeman

              • 4. Re: use custom jaas login module
                Freeman(Yue) Fang Master

                Hi,

                 

                A better solution is leverage cxf JAASLoginInterceptor directly,

                so the major part in examples/cxf-ws-security-osgi/src/main/resources/META-INF/spring/beans.xml should be changed to

                 

                 

                and you just need $FUSE_ESB/etc/users.properties to add name/password

                joe=password

                 

                so that you can see authentication happen against user storage(user.properties in this case).

                This just reuse default jaas configuration in karaf(PropertiesLoginModule) with JAAS LoginContext name "karaf".

                 

                Of course you can use your customer jaas login module, which described in ,  you just need specify   for org.apache.cxf.interceptor.security.JAASLoginInterceptor accordingly.

                 

                Hope this helps.

                 

                http://karaf.apache.org/manual/2.1.99-SNAPSHOT/developers-guide/security-framework.html

                 

                Freeman