cxf-rs-ws authorization under karaf

Question

I'm trying to configure a cxf soap webservice with authorization and authentication to be deployed on Servicemix.

I configured the LDAP authentication module as follows:

<!-- Bean to allow the $[karaf.base] property to be correctly resolved -->
<ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>

<jaas:config name="myRealm">
     <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
        connection.url = ldap://srv-ldap:389
        user.base.dn = ou=people,dc=intranet,dc=company,dc=com
        user.filter = (uid=%u)
        user.search.subtree = false
        role.base.dn = ou=groups,dc=intranet,dc=company,dc=com
        role.filter = (member:=uid=%u,ou=people,dc=intranet,dc=company,dc=com)
        role.name.attribute = cn
        role.search.subtree = true
        authentication = simple
    </jaas:module>
</jaas:config>

<service interface="org.apache.karaf.jaas.modules.BackingEngineFactory">
    <bean class="org.apache.karaf.jaas.modules.properties.PropertiesBackingEngineFactory"/>
</service>

And here is the beans.xml file

<jaxws:endpoint id="myService"
        implementor="com.myorg.services.impl.MyServiceWSImpl"
        address="/myService">
        <jaxws:inInterceptors>
            <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
                <constructor-arg>
                    <map>
                        <entry key="action" value="UsernameToken" />
                        <entry key="passwordType" value="PasswordText" />
                    </map>
                </constructor-arg>
            </bean>
            <ref bean="authenticationInterceptor" />
            <ref bean="authorizationInterceptor" />
        </jaxws:inInterceptors>
        <jaxws:properties>
            <entry key="ws-security.validate.token" value="false" />
        </jaxws:properties>
    </jaxws:endpoint>

    <bean id="authenticationInterceptor"
        class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
        <property name="contextName" value="myRealm" />
    </bean>

    <bean id="authorizationInterceptor"
        class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
        <property name="securedObject" ref="securedBean"/>
    </bean>

Finally, in my WebService implementation I annotated a method with @RolesAllowed.

 @RolesAllowed("Role1")
    public Department get(String name) throws IdMException {
        return service.get(name);
    }

The authentication interceptor is retrieving the user, authenticating it and retrieving the groups as RolePrincipal instances. Then, in the authorization interceptor (SecureAnnotationsInterceptor), the method configuration is read, the expectedRoles are "Role1", but the SimpleAuthorizingInterceptor.isUserInRole method returns false.

I haven't found any example trying to do more or less the same and the few information I found was from the CXF documentation page http://cxf.apache.org/docs/security.html#Security-Authorization

I have to be missing something important, hope somebody could help me. Thanks in advance and kind regards.

Answer 1

Your problem is because of Karaf's RolePricipal do not implements Group as CXF expected. Instead of it, it implements Pricipal so CXF thinks that 1st role name is a username. That is why "SimpleAuthorizingInterceptor.isUserInRole method returns false".

A solution is to wait for fixed versions of CXF (2.7.11 and 3.0.0). If not possible to update to newer version, then an odd and temporary solution (simply workaround) is to add more than one role to a user in LDAP and to method.

You can find more about that bug here: CXF-5603