ProviderNotFoundException wiring CXF's WSS4JInInterceptor with Spring Security.
Hi everybody.
I' have a project using Spring and CXF (it is sort of a legacy code and I need some RPC style web services) using X509Certificates.
It is all setup, and CXF's WSS4JInInterceptor takes care of encryption and validating the signature. Now I'm trying to wire it with spring security for authorization.
What I'm really trying to do is to check if the principal in the X509 certif. has the proper granted role to access the particular URL it is trying to access.
I have the basic security setup as indicated in the chapter 2 of the reference guide:
This is placed in a security configuration file wired in the web.xml and with the security namespace as default. It is correctly loaded by spring, no problems there.Code:<http auto-config="true"> <intercept-url pattern="/warehouse*/**" access="ROLE_RETAILER"/> </http> <authentication-manager alias="authenticationManager"/> <authentication-provider> <user-service> <user authorities="ROLE_WEBCLIENT" name="webclient" password="webclientpass"/> <user authorities="ROLE_RETAILER" name="retailer" password="retailerpass"/> <user authorities="ROLE_WAREHOUSE" name="warehouse" password="warehousepass"/> <user authorities="ROLE_MANUFACTURER" name="manufacturer" password="manufacturerpass"/> </user-service> </authentication-provider>
I followed the suggestions in CXF mailing list and placed a second interceptor (I named it "SecurityConnector") after the WSS4JInInterceptor, and there I already have the X509 certificate from the first interceptor to create an Authentication with, and the SecurityContextHolder to set the authentication into. I also wired spring security's authenticationManager into my SecurityConnector, just in case.
In the "handleMessage" method of this interceptor I've got:
So, here is where I got stuck.Code:List<Object> results = (List<Object>)message.get(WSHandlerConstants.RECV_RESULTS); ... for (Iterator iter = results.iterator(); iter.hasNext();) { WSHandlerResult hr = (WSHandlerResult) iter.next(); ... for (Iterator it = hr.getResults().iterator(); it.hasNext();) { WSSecurityEngineResult er = (WSSecurityEngineResult) it.next(); if (er != null && er.getCertificate() instanceof X509Certificate) { //X509Certificate cert = er.getCertificate(); //Authentication authentication = new X509AuthenticationToken(cert); Authentication authentication = new PreAuthenticatedAuthenticationToken(er.getPrincipal(), er.getCertificate()); //authentication.setAuthenticated(true); authentication = authenticationManager.authenticate(authentication); SecurityContextHolder.getContext().setAuthentication(authentication); } }
I've seen this WSS4J wiring with spring security where they use a UsernameToken and set it as the authentication in the security context. I was trying to do the same with the X509 certificates.
The problem is that:
A) From the certificate I can get the principal, but not the password, so I cannot create a UsernameToken.
B) I cannot re-authenticate this X509Certificate against my in-memory user list, as I only get a ProviderNotFoundException (neither the X509AuthenticationToken nor the PreAuthenticatedAuthenticationToken are supported by the authentication-provider user-service list).
C) Just setting one of those AuthenticationTokens into the security context is not working. It doesn't throw any exceptions, but it doesn't prevent the un-authorized principal from accessing the URLs. Again if I simply do this, the AuthenticationToken hasn't got the appropriate roles assigned to it, just the principal.
D) I'm not even certain that this is supposed to work with the intercept-url access-control, or only with method-based access control.
So, my questions would be which is the correct way to plug these two security mechanisms together?, how do I get from having the authenticated certificate (which I already got) to mapping that to a user and role in the list, and checking access rights based on that?.
Thank you very much in advanced!.
I really look forward to your answers.
Regards,
JP
Reply With Quote
