Step1: Add WSS4JInInterceptor & JAASLoginInterceptor to cxf:endpoint
or
<cxf:cxfEndpoint id="ridpEndpoint" address="XXXX" serviceClass="xxxx" wsdlURL="xxx"> <cxf:inInterceptors> <bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <property name="properties"> <map> <entry key="passwordType" value="PasswordText" /> <entry key="action" value="UsernameToken" /> </map> </property> </bean> <ref component-id="authenticationInterceptor"/> </cxf:inInterceptors> <cxf:properties> <entry key="ws-security.validate.token" value="false"/> </cxf:properties> </cxf:cxfEndpoint>
<bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor"> <property name="contextName" value="karaf"/> </bean>
Within the cxf:inInterceptor, two more interceptors are added.
WSS4JInInterceptor - the Java class to implement the Interceptor is mentioned over here.
The passwordType and action is defined over here.
The entry in the properties - security action - UsernameToken is mandatory.
The entry in the properties - security action - UsernameToken is mandatory.
ws-security.validate.token - set to false.
We have to tell WSS4J not to authenticate the UsernameToken itself, but just to process it and store it for later authentication via the JAASLoginInterceptor. This is done by setting the JAX-WS property "ws-security.validate.token" to "false".
JAASLoginInterceptor - it is necessary to set the "contextName" attribute of the JAASLoginInterceptor, which references the JAAS Context Name to use. It is also possible to define how to retrieve roles as part of the authentication process, by default CXF assumes that javax.security.acl.Group Objects are interpreted as "role" Principals.
Step2: Using JAAS LoginModules in Apache CXF
Validating a Username + Password to LDAP / Active Directory -
2.1 com.sun.security.auth.module.LdapLoginModule - copy the xml(blueprint) below - and create a new file, and place the file in the deploy folder of Jboss Fuse Installation.
2.1 com.sun.security.auth.module.LdapLoginModule - copy the xml(blueprint) below - and create a new file, and place the file in the deploy folder of Jboss Fuse Installation.
<?xml version="1.0" encoding="UTF-8"?> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0"> <jaas:config name="karaf" rank="1"> <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connection.username=uid=admin,ou=system connection.password=secret connection.protocol= connection.url=ldap://localhost:10389 user.base.dn=ou=users,ou=system user.filter=(uid=%u) user.search.subtree=true role.base.dn=ou=roles,ou=system role.name.attribute=cn role.filter=(member=uid=%u) role.search.subtree=true authentication=simple </jaas:module> </jaas:config> </blueprint>
or
2.2 org.eclipse.jetty.plus.jaas.spi.LdapLoginModule - Available via the org.eclipse.jetty/jetty-plus dependency. This login module is useful as it's easy to retrieve roles associated with the authenticated user.
sun {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://localhost:portno/"
authIdentity="cn={USERNAME},ou=users,dc=example,dc=com"
useSSL=false
debug=true;
};
jetty {
org.eclipse.jetty.plus.jaas.spi.LdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="localhost"
port="portno"
bindDn="uid=admin,dc=example,dc=com"
bindPassword="ldap_su"
authenticationMethod="simple"
forceBindingLogin="false"
userBaseDn="ou=users,dc=example,dc=com"
userRdnAttribute="cn"
userIdAttribute="cn"
userPasswordAttribute="userPassword"
userObjectClass="inetOrgPerson"
authenticated="true";
};