i need to secure simple rest service in Camel, like these
<cxf:rsServer id="usrServer" address="${host}"
serviceClass="..."
loggingFeatureEnabled="true" loggingSizeLimit="20"/>
but i have no idea how to enable authentication on this endpoint, for examle Digest authentication.
You have essentially two ways of achieving this:
Configure your apache-camel runtime container to handle the authentication i.e. if you are deploying to Tomcat then configure Tomcat to handle the Digest authentication. ServiceMix and Karaf will use the OSGI PAX web server which will need to be configured.
To secure your CXF REST service please review the CXF documentation around REST service security
There's somes ways to secure a rest service and in my opinion it doesn't depends on Camel.
For example, you want to allow access to the service event if the client is not logged. So you have to check his information in the body of you service.
That's one way.
One other way, is to use authentication (by login/pwd, token, etc...). That force to have 1 request to obtain your credentials, and 1 request to the service you want.
So, it you want to use Digest authentication, why not. But you have to configure it in your web server, not on the rest service configuration.
Here are a link for apache : http://httpd.apache.org/docs/2.2/fr/mod/mod_auth_digest.html
and a like for tomcat http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
I'm not very used to security, so i don't know if it's help.
cheers
Related
I'm configuring Spring Security OAuth 2.0 to secure a number of Jersey exposed REST services. I'll be using an external identity server as the authorization server. It'll be responsible for issuing and storing access tokens to its own token store. So, token validation process should be done against this server through a validation web service.
How should I configure Spring Security to work only as a resource server?
All the examples I found uses Spring Security to create both authorization server and resource server (which have access to the token store). This is not possible in my case.
Thanks.
I figured out how do it. A sample configuration is posted here, I hope it would be useful for someone in the future.
I'm trying to set up a SSO between a webapp and a REST API, to do this I'm using Apache Shiro + Jasig CAS but now I'm having a problem related to the authentication of the REST API.
I'm using CASRealm + CASFilter in the Webapp and trying to use the session created there to access the REST API, I've tried 2 approaches:
propagating the CAS service ticket from the webapp to the REST API through the request header (does not work, it says the service ticket is invalid because it belongs to another app, maybe the TGT would work)
store the username and password in the webapp and use them in http basic authentication (this might be a big security flaw, I'm trying to avoid it)
What other approach can I use to authenticate the user in the REST API?
I guess this is mainly an architecture issue.
Please ask questions if you didn't understand my question (or my english)
It looks like you want to use the first CAS service as a proxy for your REST API: you could use the CAS proxy mechanism: https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough. Though, the proxy support is not available in the Shiro CAS module, you should use the buji-pac4j extension, here is a good discussion on this topic: http://shiro-user.582556.n2.nabble.com/Shiro-cas-proxying-td7579694.html.
You can enable the OAuth2.0 configuration on CAS and then u can secure your REST services with the oauth2.0. For example u can have a rest service with oauth for user authentication. Here some usefull links.
OAuth configuration
Securing REST
OAuth and REST
is there any way to integrate/embed JasperServer into another web app?
The thing is that the login page of JasperServer should be somehow bypassed. Is it maybe possible to do authentication through web service / REST, skip login page, and then show the main server page in an iframe, or something to that effect?
Thanks.
You can use Http protocol and pull the reports in an iframe. The authentication information needs to go in URL as j_username and j_password.
To use Rest service, you need to write a REST client (I did it using Jersey with Http authentication) where authentication info goes in the Header.
It also provides SOAP services for integration which I haven't tried yet.
JasperServer Authentication is implemented by Spring Security, so you can use a SSO mechanism supported by Spring Security easily.
You can find XML configuration file (for the security) easily.
I've build a webservice via Axis2 in Java and uploaded it on the server. everything is ok and it works like fine. but I haven't considered any authentication method for that. How can I set a username and password for my method?
The standard for web services authentication is WS-Security. The Axis2 implementation is called Rampart.
You can create a web service method that accepts a user name and password.
If the user name and password are correct then you create a session token (preferably created by using the credentials) and send it back to the web service client.
The client for each web service call, must send along with the request parameters the token as well.
Since the request has a valid token, the client is considered as already authenticated and you proceed with the web service call.
If you're using a servlet (and not a custom-made stand-alone server application) you can just use a servlet filter for authentication.
Depending on the web framework you use you can use the standard security for that. Like you would for securing pages.
Or you could protect the resources using http BASIC or DIGEST authentication.
Web services are - for the container - not much more than web pages so they can be protected in all the standard ways.
You can succesfully use one of the existing Axis2 modules: Rampart.
Check the website (http://axis.apache.org/axis2/java/rampart/) for setup/config instructions and both client & server examples.
With Rampart I managed to use UsernameAndPassword authentication with WCF server and Java client.
How can I make Grizzly HTTP server allow JaaS for simple HTTP AUTH?
I can't see any code/sample out there: There's another post here in StackOverflow that directly assumes that jaaS is available in Grizzly, but doesn't explain how to add it.
I don't think the Grizzly HTTP server provides basic auth 'out of the box'. If you do not want to use a full-blown implementation like glassfish, you can implement your own filter and add it to the list of grizzly filters. Here is an example of how to extract the login data via HTTP basic auth and how to integrate it in JAAS objects within the grizzly context. But it requires a significant amount of coding.
http://java.net/projects/jersey/sources/svn/content/trunk/jersey/samples/https-clientserver-grizzly/src/main/java/com/sun/jersey/samples/https_grizzly/auth/SecurityFilter.java?rev=5160
Hope that helps.