2 Replies Latest reply on Aug 28, 2011 10:47 PM by Vanessa Towers

    Secure RESTful web servicse in Fuse ESB

    Vanessa Towers Newbie

      Background: I have been following the Fuse ESB Security documentation. So far I have enabled LDAP Authentication in the OSGi container (following Fuse ESB tutorial). I have also completed the Fuse ESB tutorial on enabling LDAP authentication for deployed brokers (which also uses the OSGi container JAAS realm). All good.


      I am now trying to figure out if I can use the same OSGi container JAAS realm which is configured to authenticate against LDAP, to secure RESTful web services deployed as OSGi bundles in Fuse ESB. The "Secure Apache CXF Web Services with SSL TLS and WS-Security" webinar touches on how to achieve this for SOAP based web services using interceptors/callback handler approach but does not seem to cover CXF RESTful web services (I believe because there is no ws-security in this case?).


      What is best practise for securing CXF RESTful web services by plugging them into the OSGi container JAAS realm? Or if that is not the done thing should I be securing them at the web service level - using Spring Security or something like that?


      Guidance greatly appreciated from the Fuse team (or community) on how to proceed. Thanks in advance.

        • 1. Re: Secure RESTful web servicse in Fuse ESB
          Freeman(Yue) Fang Master



          I think your restful service can use http basic auth to carry user/password and then you can leverage CXF JAASLoginInterceptor to authenticate against OSGi container JAAS realm(stored by LDAP in your case).


          You can configure the CXF JAASLoginInterceptor like


          and then add this interceptor as inInterceptors for your restful cxf service, and this interceptor can wire cxf into OSGi container loginContext.


          You may need take a look at my last post of the discussion here[1], that's about the jaxws endpoint configuration but the JAASLoginInterceptor configuration part should be no big difference. Also that example use ws-security UserNameToken but JAASLoginInterceptor is designed to work with both http basic auth and the ws-security UserNameToken(actually it check basic auth header first) so if your restful request has basic auth header then it should be ok for you.


          Hope this helps.




          • 2. Re: Secure RESTful web servicse in Fuse ESB
            Vanessa Towers Newbie

            Thanks Freeman I will give it a shot and report back