5 Replies Latest reply on Jun 27, 2011 12:39 PM by Michael Grom

    Web Service exposed via cxf.endPoint - how to secure using basic auth/ssl?

    Michael Grom Newbie

      Dear Forum!

       

      I've got my example of a "web service facade" up and running now. However, in real life, the inbound web service need to be secured using basic auth and ssl while the outbound requests need to authenticate with the "real" web services using basic auth / ssl as well.

      How do I set up the inbound cxf:endPoint to authenticate incoming requests against some sort of realm and/or use ssl?

       

      kind regards

      Michael

        • 1. Re: Web Service exposed via cxf.endPoint - how to secure using basic auth/ssl?
          Freeman(Yue) Fang Master

          Hi,

           

          Well, you actually asked several questions.

           

          For the inbound message, I assume you're using cxf http-osgi transport which use pax-web underlying.

          For SSL,

          you need configure pax-web(jetty underlying),  take a look at to get more details.

          And we already have a stub configuration file org.ops4j.pax.web.cfg in $FUSE_ESB/etc folder.

          For basic auth, you have two options

          1. You can configure jetty security handler with realm to enable basic auth(you may need check jetty docs to get more details), you can configure jetty through jetty.xml in $FUSE_ESB/etc folder directly if you use latest released FUSE ESB 4.4, or create a fragment bundle which contain your jetty configuration and attach it to the pax-web bundle as described from[2] if you're using FUSE ESB 4.3.x

          OR which I prefer to do

          2.  leverage cxf JAASLoginInterceptor directly and wire basic auth to karaf realm.

          Your cxf endpoint configuration should be like

           

           

           

          and you just need $FUSE_ESB/etc/users.properties to add name/password

          user=password

          This  reuse default jaas configuration in karaf(PropertiesLoginModule) with JAAS LoginContext name "karaf".

           

          For the outbound request message, for SSL and basic auth you need configure http:conduit to do so, just check[3] to get ideas how to configure it.

          Hope this helps.

           

          http://wiki.ops4j.org/display/paxweb/SSL+Configuration

          http://wiki.ops4j.org/display/paxweb/AdvancedJettyConfiguration

          http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html

           

          Freeman

          • 2. Re: Web Service exposed via cxf.endPoint - how to secure using basic auth/ssl?
            Michael Grom Newbie

            Dear Freeman,

             

            thank you so much for your detailed answer. I'm using the cxf namespace and the cxf:cxfEndpoint notation - does that mean I have to switch to jaxws namespace? I'm not using a service endpoint implementation but a camel route which further processes the incoming request.

             

                <cxf:cxfEndpoint id="crMaster"

                                 address="http://localhost:9080/facade/CRMasterService"

                                 endpointName="s:CRMasterServicePort"

                                 serviceName="s:CRMasterService"

                                 wsdlURL="etc/sample.wsdl"

                                 xmlns:s="http://crmaster.facade.ws.example.com/" >

            Is it safe to switch to jaxws instead of cxf namespace? I'd try to lookup the namespace relevant definition for the camel-context.xml file from the fuse docs then.

             

            -


            edit -


             

            I've tried to adapt your example to cxf namespace using cxf:inInterceptors and cxf:properties, to no avail. No login required for the web service. In the servicemix.log, there is a message

             

            ing the interceptor org.apache.cxf.interceptor.OneWayProcessorInterceptor@121b6e7

            10:02:24,554 | INFO  | xtenderThread-10 | MessageDataFormatFeature         | 126 - org.apache.camel.camel-cxf - 2.7.1.fuse-00-27 | remov

            ing the interceptor org.apache.cxf.interceptor.security.JAASLoginInterceptor@6f2775

             

            I reckon that "removing the interceptor" is the cause, but why is servicemix removing that interceptor?

             

             

             

            kind regards

            Michael

             

            Edited by: uio100 on Jun 27, 2011 10:06 AM

            • 3. Re: Web Service exposed via cxf.endPoint - how to secure using basic auth/ssl?
              Willem Jiang Master

              Hi,

               

              JAASLoginInterceptor's phase is Phase.UNMARSHAL, which means it will be removed the when you are using the MESSAGE data format which means it will not touch the underlay stream.

               

              If you are using the POJO data format, the interceptor will not be removed

               

              Willem

              • 4. Re: Web Service exposed via cxf.endPoint - how to secure using basic auth/ssl?
                Michael Grom Newbie

                Hello Willem,

                 

                does that mean I have to use POJO mode? I was setting the endpoint to MESSAGE mode, and I am afraid that this cannot be changed easily. The incoming SOAPEnvelope & Body is further consumed by a camel route and not necessarily by Java code.

                What I try to achieve is that the "facade" as defined in the cxf:cxfEndpoint address poses as a virtual service, forwarding the request via camel to 1 to n real services (with or without transformation of the body and probably modifying the header) and getting the responses back and return a composite response to the caller.

                 

                kind regards

                Michael

                • 5. Re: Web Service exposed via cxf.endPoint - how to secure using basic auth/ssl?
                  Michael Grom Newbie

                  Hello!

                  I've changed my code to process data format PAYLOAD and now the interceptor works.

                  However, it seems I have to post something into Camel/Mediation Router as my split / aggregate does not seem to send back the desired response to the original caller.

                   

                  Thank you so much!

                   

                  Kind regards

                  Michael