Sunday, September 19, 2010

How to use HTTP Basic Auth with servicemix-cxf-bc

For servicemix-cxf-bc[1] component in Apache Servicemix[2] or FuseSource[3] ESB, there are several ways to use security feature for both consumer and provider endpoint. For message level security, we can secured SOAP message itself with WS-Security, or for transport protocol level security, we can use HTTPs which provide a secured HTTP connection.
Actually we have testcases domenstrating how each scenario works
cxf bc consumer with ws-security testcase[4]
cxf bc provider with ws-security testcase[5]
cxf bc consumer with https testcase[6]
cxf bc provider with https testcase[7]

However, instead of using WS-Security or HTTPS, one straightforward way is use HTTP Basic Authentication. For cxfbc provider endpoint which play a role as a client, to enaable HTTP Basic Auth, customer need specify a busCfg which configure http:conduit, something like

<http:conduit name="{your_name_space}your_endpoint_name.http-conduit">

    <http:authorization>

        <sec:username>Betty</sec:username>

        <sec:password>password</sec:password>

    </http:authorization>

 </http:conduit>


For cxfbc consumer which play a role as a server, to enable server side HTTP Basic Auth, we need an interceptor to do it,  the basic idea is extract AuthorizationPolicy from the incoming message and compare the username/password, but it's not so complicated, here is a good article[8] to show how to do it.

Another way(as Dan Kulp  pointed out) to configure server side basic auth is configure the jetty instance to handle the authentication,  as Jetty has a "SecurityHandler" that can be configured into the handlers via CXF config. The SecurityHandler takes an Authenticator(they have a BasicAuthenticator) and a UserRealm Object (they have one for basic HashMap lookup things as well as a JDBC version)


[1]http://servicemix.apache.org/servicemix-cxf-bc.html
[2]http://servicemix.apache.org/home.html
[3]http://fusesource.com/
[4]https://svn.apache.org/repos/asf/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBCSecurityTest.java
[5]https://svn.apache.org/repos/asf/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBcProviderSecurityTest.java
[6]https://svn.apache.org/repos/asf/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBcHttpsConsumerTest.java
[7]https://svn.apache.org/repos/asf/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBcProviderHttpsTest.java
[8]http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)