Sunday, September 19, 2010

How to use HTTP Basic Auth with servicemix-cxf-bc

For servicemix-cxf-bc[1] component in Apache Servicemix[2] or FuseSource[3] ESB, there are several ways to use security feature for both consumer and provider endpoint. For message level security, we can secured SOAP message itself with WS-Security, or for transport protocol level security, we can use HTTPs which provide a secured HTTP connection.
Actually we have testcases domenstrating how each scenario works
cxf bc consumer with ws-security testcase[4]
cxf bc provider with ws-security testcase[5]
cxf bc consumer with https testcase[6]
cxf bc provider with https testcase[7]

However, instead of using WS-Security or HTTPS, one straightforward way is use HTTP Basic Authentication. For cxfbc provider endpoint which play a role as a client, to enaable HTTP Basic Auth, customer need specify a busCfg which configure http:conduit, something like

<http:conduit name="{your_name_space}your_endpoint_name.http-conduit">

For cxfbc consumer which play a role as a server, to enable server side HTTP Basic Auth, we need an interceptor to do it,  the basic idea is extract AuthorizationPolicy from the incoming message and compare the username/password, but it's not so complicated, here is a good article[8] to show how to do it.

Another way(as Dan Kulp  pointed out) to configure server side basic auth is configure the jetty instance to handle the authentication,  as Jetty has a "SecurityHandler" that can be configured into the handlers via CXF config. The SecurityHandler takes an Authenticator(they have a BasicAuthenticator) and a UserRealm Object (they have one for basic HashMap lookup things as well as a JDBC version)


No comments:

Post a Comment