[mule-user] ws-sec and component Authorization

18 views
Skip to first unread message

Tomas Blohm

unread,
Oct 29, 2009, 7:11:08 AM10/29/09
to us...@mule.codehaus.org

Hi, I've implemented different approaches to secure my webservice with LDAP
authorization and everyone fails in some way. I implemented ws-sec and that
worked until I tried to combine it with component authorization. Since I
want to implement role behavior this is necessary. Is it possible to combine
ws-sec and component authorization? This is my config:

<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns="http://www.mulesource.org/schema/mule/core/2.2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http="http://www.mulesource.org/schema/mule/http/2.2"
xmlns:https="http://www.mulesource.org/schema/mule/https/2.2"
xmlns:cxf="http://www.mulesource.org/schema/mule/cxf/2.2"

xmlns:spring-security="http://www.mulesource.org/schema/mule/spring-security/2.2"
xmlns:vm="http://www.mulesource.org/schema/mule/vm/2.2"

xmlns:mule-ss="http://www.mulesource.org/schema/mule/spring-security/2.2"
xmlns:ss="http://www.springframework.org/schema/security"
xmlns:spring="http://www.springframework.org/schema/beans"
xmlns:acegi="http://www.mulesource.org/schema/mule/acegi/2.2"
xsi:schemaLocation="
http://www.mulesource.org/schema/mule/http/2.2
http://www.mulesource.org/schema/mule/http/2.2/mule-http.xsd
http://www.mulesource.org/schema/mule/https/2.2
http://www.mulesource.org/schema/mule/https/2.2/mule-https.xsd
http://www.mulesource.org/schema/mule/cxf/2.2
http://www.mulesource.org/schema/mule/cxf/2.2/mule-cxf.xsd
http://www.mulesource.org/schema/mule/core/2.2
http://www.mulesource.org/schema/mule/core/2.2/mule.xsd
http://www.mulesource.org/schema/mule/spring-security/2.2
http://www.mulesource.org/schema/mule/spring-security/2.2/mule-spring-security.xsd
http://www.mulesource.org/schema/mule/vm/2.2
http://www.mulesource.org/schema/mule/vm/2.2/mule-vm.xsd
http://www.mulesource.org/schema/mule/spring-security/2.2
http://www.mulesource.org/schema/mule/spring-security/2.2/mule-spring-security.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.mulesource.org/schema/mule/acegi/2.2
http://www.mulesource.org/schema/mule/acegi/2.2/mule-acegi.xsd
">

<spring:bean id="authenticationManager"
class="org.springframework.security.providers.ProviderManager">
<spring:property name="providers">
<spring:list>
<spring:ref bean="authenticationProvider"/>
</spring:list>
</spring:property>
</spring:bean>

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mule="http://www.mulesource.org/schema/mule/core/2.2"
xmlns:acegi="http://www.mulesource.org/schema/mule/acegi/2.2">

<bean id="initialDirContextFactory"

class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://172.16.71.50:389/o=SE" />
<property name="userDn">
<value>cn=admin,o=Pulsen</value>
</property>
<property name="password">
<value>xxxxxx</value>
</property>
</bean>

<bean id="authenticationProvider"

class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean
class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg>
<ref local="initialDirContextFactory" />
</constructor-arg>
<property name="userDnPatterns">
<list>
<value>cn={0},ou=Mule</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg>
<ref local="initialDirContextFactory" />
</constructor-arg>
<constructor-arg>
<value>ou=groups,ou=Mule</value>
</constructor-arg>
<property name="groupRoleAttribute">
<value>cn</value>
</property>
<property name="searchSubtree">
<value>true</value>
</property>
<property name="rolePrefix">
<value>ROLE_</value>
</property>
<property name="convertToUpperCase">
<value>true</value>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="myComponentSecurity"
class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="objectDefinitionSource">
<value>
com.pulsen.cxf.services.HelloWorldImpl.sayHi=ROLE_READERS
com.pulsen.cxf.services.HelloWorldImpl.sayHi2=ROLE_WRITERS
</value>
</property>
</bean>
<bean id="accessDecisionManager"
class='org.springframework.security.vote.AffirmativeBased'>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<bean id="autoProxyCreator"
class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
<property name="interceptorNames">
<list>
<value>myComponentSecurity</value>
</list>
</property>
<property name="beanNames">
<list>
<value>helloWorldService</value>
</list>
</property>
<property name='proxyTargetClass' value="true"/>
</bean>
<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter"/>

<cxf:security-manager-callback id="serverCallback"
securityManager-ref="_muleSecurityManager"/>
</beans>

<mule-ss:security-manager id="_muleSecurityManager">
<mule-ss:delegate-security-provider name="spring-security-ldap"
delegate-ref="authenticationManager" />
</mule-ss:security-manager>

<https:connector name="httpConnector">
<https:tls-client path="keystore/clientkeystore" storePassword="xdr537" />
<https:tls-key-store path="keystore/portal.keystore"
keyPassword="changeit" storePassword="changeit" />
<https:tls-server path="keystore/truststore" storePassword="changeit" />
</https:connector>

<model name="CxfExample">
<service name="helloService">
<inbound>
<cxf:inbound-endpoint address="https://localhost:63081/hello"
synchronous="true">
<!-- mule-ss:http-security-filter realm="mule-realm" /> -->
<cxf:inInterceptors>
<spring:bean
class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<spring:bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<spring:constructor-arg>
<spring:map>
<spring:entry key="action" value="UsernameToken" />
<spring:entry key="passwordCallbackRef"
value-ref="serverCallback" />
<spring:entry key="passwordType"
value="PasswordText" />
</spring:map>
</spring:constructor-arg>
</spring:bean>
</cxf:inInterceptors>
</cxf:inbound-endpoint>
</inbound>
<component>
<!-- singleton-object
class="com.pulsen.cxf.services.HelloWorldImpl"/> -->
<spring-object bean="helloWorldService" />
</component>
</service>
</model>
<spring:bean id="helloWorldService"
class="com.pulsen.cxf.services.HelloWorldImpl" />
</mule>

The exception I get looks like this:

ERROR 2009-10-29 11:51:56,884 [httpConnector.receiver.2]
org.mule.service.DefaultServiceExceptionStrategy:
********************************************************************************
Message : Component that caused exception is:
SedaService{helloService}. Message payload is of type: String
Type : org.mule.api.service.ServiceException
Code : MULE_ERROR--2
JavaDoc :
http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/service/ServiceException.html
Payload : Tomas
********************************************************************************
Exception stack is:
1. An Authentication object was not found in the SecurityContext
(org.springframework.security.AuthenticationCredentialsNotFoundException)
org.springframework.security.intercept.AbstractSecurityInterceptor:342
(null)
2. Component that caused exception is: SedaService{helloService}. Message
payload is of type: String (org.mule.api.service.ServiceException)
org.mule.component.DefaultLifecycleAdapter:216
(http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/service/ServiceException.html)
********************************************************************************
Root Exception stack trace:
org.springframework.security.AuthenticationCredentialsNotFoundException: An
Authentication object was not found in the SecurityContext
at
org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)
at
org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
at
org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at
org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:635)
at
com.pulsen.cxf.services.HelloWorldImpl$$EnhancerByCGLIB$$a7766c41.sayHi(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.mule.model.resolvers.AbstractEntryPointResolver.invokeMethod(AbstractEntryPointResolver.java:154)
at
org.mule.model.resolvers.MethodHeaderPropertyEntryPointResolver.invoke(MethodHeaderPropertyEntryPointResolver.java:105)
at
org.mule.model.resolvers.DefaultEntryPointResolverSet.invoke(DefaultEntryPointResolverSet.java:50)
at
org.mule.component.DefaultLifecycleAdapter.invoke(DefaultLifecycleAdapter.java:205)
at
org.mule.component.AbstractJavaComponent.invokeComponentInstance(AbstractJavaComponent.java:83)
at
org.mule.component.AbstractJavaComponent.doInvoke(AbstractJavaComponent.java:74)
at
org.mule.component.AbstractComponent.invokeInternal(AbstractComponent.java:133)
at org.mule.component.AbstractComponent.invoke(AbstractComponent.java:161)
at
org.mule.service.AbstractService.invokeComponent(AbstractService.java:929)
at org.mule.model.seda.SedaService.doSend(SedaService.java:257)
at org.mule.service.AbstractService.sendEvent(AbstractService.java:500)
at org.mule.DefaultMuleSession.sendEvent(DefaultMuleSession.java:354)
at
org.mule.routing.inbound.DefaultInboundRouterCollection.send(DefaultInboundRouterCollection.java:228)
at
org.mule.routing.inbound.DefaultInboundRouterCollection.route(DefaultInboundRouterCollection.java:188)
at
org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:364)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:175)
at org.mule.transport.cxf.MuleInvoker.invoke(MuleInvoker.java:108)
at
org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:56)
at
org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
at
org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:92)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:78)
at
org.mule.transport.cxf.CxfServiceComponent.sendToDestination(CxfServiceComponent.java:284)
at
org.mule.transport.cxf.CxfServiceComponent.onCall(CxfServiceComponent.java:112)
at
org.mule.model.resolvers.CallableEntryPointResolver.invoke(CallableEntryPointResolver.java:52)
at
org.mule.model.resolvers.DefaultEntryPointResolverSet.invoke(DefaultEntryPointResolverSet.java:50)
at
org.mule.component.DefaultLifecycleAdapter.invoke(DefaultLifecycleAdapter.java:205)
at
org.mule.component.AbstractJavaComponent.invokeComponentInstance(AbstractJavaComponent.java:83)
at
org.mule.component.AbstractJavaComponent.doInvoke(AbstractJavaComponent.java:74)
at
org.mule.component.AbstractComponent.invokeInternal(AbstractComponent.java:133)
at org.mule.component.AbstractComponent.invoke(AbstractComponent.java:161)
at
org.mule.service.AbstractService.invokeComponent(AbstractService.java:929)
at org.mule.model.seda.SedaService.doSend(SedaService.java:257)
at org.mule.service.AbstractService.sendEvent(AbstractService.java:500)
at org.mule.DefaultMuleSession.sendEvent(DefaultMuleSession.java:354)
at
org.mule.routing.inbound.DefaultInboundRouterCollection.send(DefaultInboundRouterCollection.java:228)
at
org.mule.routing.inbound.DefaultInboundRouterCollection.route(DefaultInboundRouterCollection.java:188)
at
org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:364)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:193)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMes...
********************************************************************************

The ldap authentication works if I remove the component authorization. If I
change the model to not use ws-sec:

<service name="helloService">
<inbound>
<cxf:inbound-endpoint address="https://localhost:63081/hello"
synchronous="true">
<mule-ss:http-security-filter realm="mule-realm"
/>
<spring-object bean="helloWorldService" />
</component>
</service>

Then everything works, different users can request different methods
depending on group membership. But I still get errors in the log:

ERROR 2009-10-29 11:46:40,539 [httpConnector.receiver.2]
org.mule.config.i18n.CoreMessages: Failed to find message for id 134 in
resource bundle META-INF.services.org.mule.i18n.core-messages
WARN 2009-10-29 11:46:40,539 [httpConnector.receiver.2]
org.mule.transport.http.HttpsMessageReceiver: Request was made but was not
authenticated: Registered authentication is set to
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter
but there was no security context on the session. . Message payload is of
type: ContentLengthInputStream
org.mule.api.security.UnauthorisedException: Registered authentication is
set to
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter
but there was no security context on the session. . Message payload is of
type: ContentLengthInputStream
at
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter.authenticateInbound(HttpBasicAuthenticationFilter.java:164)
at
org.mule.security.AbstractEndpointSecurityFilter.authenticate(AbstractEndpointSecurityFilter.java:181)
at
org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:335)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:193)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:273)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:227)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:190)
at org.mule.work.WorkerContext.run(WorkerContext.java:310)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
at java.lang.Thread.run(Thread.java:595)
ERROR 2009-10-29 11:46:40,554 [httpConnector.receiver.2]
org.mule.DefaultExceptionStrategy:
********************************************************************************
Message : Registered authentication is set to
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter
but there was no security context on the session. . Message payload is of
type: ContentLengthInputStream
Type : org.mule.api.security.UnauthorisedException
Code : MULE_ERROR-54999
JavaDoc :
http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/security/UnauthorisedException.html
Payload :
org.apache.commons.httpclient.ContentLengthInputStream@ac2d3c
********************************************************************************
Exception stack is:
1. Registered authentication is set to
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter
but there was no security context on the session. . Message payload is of
type: ContentLengthInputStream (org.mule.api.security.UnauthorisedException)

org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter:164
(http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/security/UnauthorisedException.html)
********************************************************************************
Root Exception stack trace:
org.mule.api.security.UnauthorisedException: Registered authentication is
set to
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter
but there was no security context on the session. . Message payload is of
type: ContentLengthInputStream
at
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter.authenticateInbound(HttpBasicAuthenticationFilter.java:164)
at
org.mule.security.AbstractEndpointSecurityFilter.authenticate(AbstractEndpointSecurityFilter.java:181)
at
org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:335)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:193)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:273)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:227)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:190)
at org.mule.work.WorkerContext.run(WorkerContext.java:310)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
at java.lang.Thread.run(Thread.java:595)

********************************************************************************


Any input on this is appreciated!!

/Tomas Blohm
--
View this message in context: http://www.nabble.com/ws-sec-and-component-Authorization-tp26111057p26111057.html
Sent from the Mule - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email


Richard Swart

unread,
Oct 29, 2009, 9:03:21 AM10/29/09
to us...@mule.codehaus.org
I had a quick look at this recently because a customer would like to use a similar setup. My impression is that the org.mule.transport.cxf.supportMuleSecurityManagerCallbackHandler is doing the authentication but not setting the SecurityContext on the session like the http-basis-authentication filter is doing:

SecurityContext context = getSecurityManager().createSecurityContext(authResult);
context.setAuthentication(authResult);
event.getSession().setSecurityContext(context);

Probably because the interceptor does not have access to the event (it's a CXF and not a Mule interceptor). I am considering to create my own wss-authentication filter based on the http one.

Tomas Blohm

unread,
Oct 30, 2009, 3:52:28 AM10/30/09
to us...@mule.codehaus.org

This seems like quite big limitation for ws-sec. The job is only halfway
done. I think I might file a JIRA for this.
What about the other error where everything worked but still print errors to
the log.

--
View this message in context: http://old.nabble.com/ws-sec-and-component-Authorization-tp26111057p26126168.html


Sent from the Mule - User mailing list archive at Nabble.com.

Ross Montgomery

unread,
Jul 9, 2011, 7:53:19 AM7/9/11
to us...@mule.codehaus.org
Hi,

I've recently been trying to implement authentication and authorisation for a Mule (2.2.1) CXF Web Service using WS-Security and Spring Security with a LDAP Provider. I encountered the same problems described in this thread: authentication works fine, but subsequent method-level authorisation fails because the SecurityContext is not propagated from the CXF 'context' to the wider MuleContext. I have developed my own 'work-around' based on the clues given here (essentially extended org.apache.ws.security.processor.UsernameTokenProcessor to make it MuleContextAware so that I can place the authenticated credentials into the SecurityContext).

I was just wondering whether, since the last post (30-Oct-2009), any progress had been made (perhaps in subsequent Mule releases) to fix this problem, so that a 'work-around' is no longer required (?)

Reply all
Reply to author
Forward
0 new messages