<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns="http://www.mulesource.org/schema/mule/core/2.2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http="http://www.mulesource.org/schema/mule/http/2.2"
xmlns:https="http://www.mulesource.org/schema/mule/https/2.2"
xmlns:cxf="http://www.mulesource.org/schema/mule/cxf/2.2"
xmlns:spring-security="http://www.mulesource.org/schema/mule/spring-security/2.2"
xmlns:vm="http://www.mulesource.org/schema/mule/vm/2.2"
xmlns:mule-ss="http://www.mulesource.org/schema/mule/spring-security/2.2"
xmlns:ss="http://www.springframework.org/schema/security"
xmlns:spring="http://www.springframework.org/schema/beans"
xmlns:acegi="http://www.mulesource.org/schema/mule/acegi/2.2"
xsi:schemaLocation="
http://www.mulesource.org/schema/mule/http/2.2
http://www.mulesource.org/schema/mule/http/2.2/mule-http.xsd
http://www.mulesource.org/schema/mule/https/2.2
http://www.mulesource.org/schema/mule/https/2.2/mule-https.xsd
http://www.mulesource.org/schema/mule/cxf/2.2
http://www.mulesource.org/schema/mule/cxf/2.2/mule-cxf.xsd
http://www.mulesource.org/schema/mule/core/2.2
http://www.mulesource.org/schema/mule/core/2.2/mule.xsd
http://www.mulesource.org/schema/mule/spring-security/2.2
http://www.mulesource.org/schema/mule/spring-security/2.2/mule-spring-security.xsd
http://www.mulesource.org/schema/mule/vm/2.2
http://www.mulesource.org/schema/mule/vm/2.2/mule-vm.xsd
http://www.mulesource.org/schema/mule/spring-security/2.2
http://www.mulesource.org/schema/mule/spring-security/2.2/mule-spring-security.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.mulesource.org/schema/mule/acegi/2.2
http://www.mulesource.org/schema/mule/acegi/2.2/mule-acegi.xsd
">
<spring:bean id="authenticationManager"
class="org.springframework.security.providers.ProviderManager">
<spring:property name="providers">
<spring:list>
<spring:ref bean="authenticationProvider"/>
</spring:list>
</spring:property>
</spring:bean>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mule="http://www.mulesource.org/schema/mule/core/2.2"
xmlns:acegi="http://www.mulesource.org/schema/mule/acegi/2.2">
<bean id="initialDirContextFactory"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://172.16.71.50:389/o=SE" />
<property name="userDn">
<value>cn=admin,o=Pulsen</value>
</property>
<property name="password">
<value>xxxxxx</value>
</property>
</bean>
<bean id="authenticationProvider"
class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean
class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg>
<ref local="initialDirContextFactory" />
</constructor-arg>
<property name="userDnPatterns">
<list>
<value>cn={0},ou=Mule</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg>
<ref local="initialDirContextFactory" />
</constructor-arg>
<constructor-arg>
<value>ou=groups,ou=Mule</value>
</constructor-arg>
<property name="groupRoleAttribute">
<value>cn</value>
</property>
<property name="searchSubtree">
<value>true</value>
</property>
<property name="rolePrefix">
<value>ROLE_</value>
</property>
<property name="convertToUpperCase">
<value>true</value>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="myComponentSecurity"
class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="objectDefinitionSource">
<value>
com.pulsen.cxf.services.HelloWorldImpl.sayHi=ROLE_READERS
com.pulsen.cxf.services.HelloWorldImpl.sayHi2=ROLE_WRITERS
</value>
</property>
</bean>
<bean id="accessDecisionManager"
class='org.springframework.security.vote.AffirmativeBased'>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<bean id="autoProxyCreator"
class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
<property name="interceptorNames">
<list>
<value>myComponentSecurity</value>
</list>
</property>
<property name="beanNames">
<list>
<value>helloWorldService</value>
</list>
</property>
<property name='proxyTargetClass' value="true"/>
</bean>
<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter"/>
<cxf:security-manager-callback id="serverCallback"
securityManager-ref="_muleSecurityManager"/>
</beans>
<mule-ss:security-manager id="_muleSecurityManager">
<mule-ss:delegate-security-provider name="spring-security-ldap"
delegate-ref="authenticationManager" />
</mule-ss:security-manager>
<https:connector name="httpConnector">
<https:tls-client path="keystore/clientkeystore" storePassword="xdr537" />
<https:tls-key-store path="keystore/portal.keystore"
keyPassword="changeit" storePassword="changeit" />
<https:tls-server path="keystore/truststore" storePassword="changeit" />
</https:connector>
<model name="CxfExample">
<service name="helloService">
<inbound>
<cxf:inbound-endpoint address="https://localhost:63081/hello"
synchronous="true">
<!-- mule-ss:http-security-filter realm="mule-realm" /> -->
<cxf:inInterceptors>
<spring:bean
class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
<spring:bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<spring:constructor-arg>
<spring:map>
<spring:entry key="action" value="UsernameToken" />
<spring:entry key="passwordCallbackRef"
value-ref="serverCallback" />
<spring:entry key="passwordType"
value="PasswordText" />
</spring:map>
</spring:constructor-arg>
</spring:bean>
</cxf:inInterceptors>
</cxf:inbound-endpoint>
</inbound>
<component>
<!-- singleton-object
class="com.pulsen.cxf.services.HelloWorldImpl"/> -->
<spring-object bean="helloWorldService" />
</component>
</service>
</model>
<spring:bean id="helloWorldService"
class="com.pulsen.cxf.services.HelloWorldImpl" />
</mule>
The exception I get looks like this:
ERROR 2009-10-29 11:51:56,884 [httpConnector.receiver.2]
org.mule.service.DefaultServiceExceptionStrategy:
********************************************************************************
Message : Component that caused exception is:
SedaService{helloService}. Message payload is of type: String
Type : org.mule.api.service.ServiceException
Code : MULE_ERROR--2
JavaDoc :
http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/service/ServiceException.html
Payload : Tomas
********************************************************************************
Exception stack is:
1. An Authentication object was not found in the SecurityContext
(org.springframework.security.AuthenticationCredentialsNotFoundException)
org.springframework.security.intercept.AbstractSecurityInterceptor:342
(null)
2. Component that caused exception is: SedaService{helloService}. Message
payload is of type: String (org.mule.api.service.ServiceException)
org.mule.component.DefaultLifecycleAdapter:216
(http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/service/ServiceException.html)
********************************************************************************
Root Exception stack trace:
org.springframework.security.AuthenticationCredentialsNotFoundException: An
Authentication object was not found in the SecurityContext
at
org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)
at
org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
at
org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at
org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:635)
at
com.pulsen.cxf.services.HelloWorldImpl$$EnhancerByCGLIB$$a7766c41.sayHi(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.mule.model.resolvers.AbstractEntryPointResolver.invokeMethod(AbstractEntryPointResolver.java:154)
at
org.mule.model.resolvers.MethodHeaderPropertyEntryPointResolver.invoke(MethodHeaderPropertyEntryPointResolver.java:105)
at
org.mule.model.resolvers.DefaultEntryPointResolverSet.invoke(DefaultEntryPointResolverSet.java:50)
at
org.mule.component.DefaultLifecycleAdapter.invoke(DefaultLifecycleAdapter.java:205)
at
org.mule.component.AbstractJavaComponent.invokeComponentInstance(AbstractJavaComponent.java:83)
at
org.mule.component.AbstractJavaComponent.doInvoke(AbstractJavaComponent.java:74)
at
org.mule.component.AbstractComponent.invokeInternal(AbstractComponent.java:133)
at org.mule.component.AbstractComponent.invoke(AbstractComponent.java:161)
at
org.mule.service.AbstractService.invokeComponent(AbstractService.java:929)
at org.mule.model.seda.SedaService.doSend(SedaService.java:257)
at org.mule.service.AbstractService.sendEvent(AbstractService.java:500)
at org.mule.DefaultMuleSession.sendEvent(DefaultMuleSession.java:354)
at
org.mule.routing.inbound.DefaultInboundRouterCollection.send(DefaultInboundRouterCollection.java:228)
at
org.mule.routing.inbound.DefaultInboundRouterCollection.route(DefaultInboundRouterCollection.java:188)
at
org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:364)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:175)
at org.mule.transport.cxf.MuleInvoker.invoke(MuleInvoker.java:108)
at
org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:56)
at
org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
at
org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:92)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:78)
at
org.mule.transport.cxf.CxfServiceComponent.sendToDestination(CxfServiceComponent.java:284)
at
org.mule.transport.cxf.CxfServiceComponent.onCall(CxfServiceComponent.java:112)
at
org.mule.model.resolvers.CallableEntryPointResolver.invoke(CallableEntryPointResolver.java:52)
at
org.mule.model.resolvers.DefaultEntryPointResolverSet.invoke(DefaultEntryPointResolverSet.java:50)
at
org.mule.component.DefaultLifecycleAdapter.invoke(DefaultLifecycleAdapter.java:205)
at
org.mule.component.AbstractJavaComponent.invokeComponentInstance(AbstractJavaComponent.java:83)
at
org.mule.component.AbstractJavaComponent.doInvoke(AbstractJavaComponent.java:74)
at
org.mule.component.AbstractComponent.invokeInternal(AbstractComponent.java:133)
at org.mule.component.AbstractComponent.invoke(AbstractComponent.java:161)
at
org.mule.service.AbstractService.invokeComponent(AbstractService.java:929)
at org.mule.model.seda.SedaService.doSend(SedaService.java:257)
at org.mule.service.AbstractService.sendEvent(AbstractService.java:500)
at org.mule.DefaultMuleSession.sendEvent(DefaultMuleSession.java:354)
at
org.mule.routing.inbound.DefaultInboundRouterCollection.send(DefaultInboundRouterCollection.java:228)
at
org.mule.routing.inbound.DefaultInboundRouterCollection.route(DefaultInboundRouterCollection.java:188)
at
org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:364)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:193)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMes...
********************************************************************************
The ldap authentication works if I remove the component authorization. If I
change the model to not use ws-sec:
<service name="helloService">
<inbound>
<cxf:inbound-endpoint address="https://localhost:63081/hello"
synchronous="true">
<mule-ss:http-security-filter realm="mule-realm"
/>
<spring-object bean="helloWorldService" />
</component>
</service>
Then everything works, different users can request different methods
depending on group membership. But I still get errors in the log:
ERROR 2009-10-29 11:46:40,539 [httpConnector.receiver.2]
org.mule.config.i18n.CoreMessages: Failed to find message for id 134 in
resource bundle META-INF.services.org.mule.i18n.core-messages
WARN 2009-10-29 11:46:40,539 [httpConnector.receiver.2]
org.mule.transport.http.HttpsMessageReceiver: Request was made but was not
authenticated: Registered authentication is set to
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter
but there was no security context on the session. . Message payload is of
type: ContentLengthInputStream
org.mule.api.security.UnauthorisedException: Registered authentication is
set to
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter
but there was no security context on the session. . Message payload is of
type: ContentLengthInputStream
at
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter.authenticateInbound(HttpBasicAuthenticationFilter.java:164)
at
org.mule.security.AbstractEndpointSecurityFilter.authenticate(AbstractEndpointSecurityFilter.java:181)
at
org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:335)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:193)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:273)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:227)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:190)
at org.mule.work.WorkerContext.run(WorkerContext.java:310)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
at java.lang.Thread.run(Thread.java:595)
ERROR 2009-10-29 11:46:40,554 [httpConnector.receiver.2]
org.mule.DefaultExceptionStrategy:
********************************************************************************
Message : Registered authentication is set to
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter
but there was no security context on the session. . Message payload is of
type: ContentLengthInputStream
Type : org.mule.api.security.UnauthorisedException
Code : MULE_ERROR-54999
JavaDoc :
http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/security/UnauthorisedException.html
Payload :
org.apache.commons.httpclient.ContentLengthInputStream@ac2d3c
********************************************************************************
Exception stack is:
1. Registered authentication is set to
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter
but there was no security context on the session. . Message payload is of
type: ContentLengthInputStream (org.mule.api.security.UnauthorisedException)
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter:164
(http://www.mulesource.org/docs/site/current2/apidocs/org/mule/api/security/UnauthorisedException.html)
********************************************************************************
Root Exception stack trace:
org.mule.api.security.UnauthorisedException: Registered authentication is
set to
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter
but there was no security context on the session. . Message payload is of
type: ContentLengthInputStream
at
org.mule.module.spring.security.filters.http.HttpBasicAuthenticationFilter.authenticateInbound(HttpBasicAuthenticationFilter.java:164)
at
org.mule.security.AbstractEndpointSecurityFilter.authenticate(AbstractEndpointSecurityFilter.java:181)
at
org.mule.transport.AbstractMessageReceiver$DefaultInternalMessageListener.onMessage(AbstractMessageReceiver.java:335)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:252)
at
org.mule.transport.AbstractMessageReceiver.routeMessage(AbstractMessageReceiver.java:193)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.doRequest(HttpMessageReceiver.java:273)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.processRequest(HttpMessageReceiver.java:227)
at
org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:190)
at org.mule.work.WorkerContext.run(WorkerContext.java:310)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
at java.lang.Thread.run(Thread.java:595)
********************************************************************************
Any input on this is appreciated!!
/Tomas Blohm
--
View this message in context: http://www.nabble.com/ws-sec-and-component-Authorization-tp26111057p26111057.html
Sent from the Mule - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
SecurityContext context = getSecurityManager().createSecurityContext(authResult);
context.setAuthentication(authResult);
event.getSession().setSecurityContext(context);
Probably because the interceptor does not have access to the event (it's a CXF and not a Mule interceptor). I am considering to create my own wss-authentication filter based on the http one.
--
View this message in context: http://old.nabble.com/ws-sec-and-component-Authorization-tp26111057p26126168.html
Sent from the Mule - User mailing list archive at Nabble.com.
I've recently been trying to implement authentication and authorisation for a Mule (2.2.1) CXF Web Service using WS-Security and Spring Security with a LDAP Provider. I encountered the same problems described in this thread: authentication works fine, but subsequent method-level authorisation fails because the SecurityContext is not propagated from the CXF 'context' to the wider MuleContext. I have developed my own 'work-around' based on the clues given here (essentially extended org.apache.ws.security.processor.UsernameTokenProcessor to make it MuleContextAware so that I can place the authenticated credentials into the SecurityContext).
I was just wondering whether, since the last post (30-Oct-2009), any progress had been made (perhaps in subsequent Mule releases) to fix this problem, so that a 'work-around' is no longer required (?)