Employee

Talend Authorization at Tomcat CXF Service

Hi.
We are able to run our services in tomcat too. Currently I have an issue with enabling authorization. Service Registry and Service Locator is enabled. Service Registry is configured to enforce Authentication and Authorization. All is working without authorization.
Unfortunately I cannot find a sample for tomcat deployment.
I think I have to do the following steps:
1. Add the Authorization dependency to my maven project.
        <dependency>
            <groupId>org.talend.esb.authorization</groupId>
            <artifactId>tesb-xacml-pdp-api</artifactId>
            <version>${project.version}</version>
        </dependency>
2. Create and add some configuration for PEP
   But I cannot find there the "tomcat-style" configuration
I found only an OSGi sample. At OSGi configuration is done in different way. (org.talend.esb.authorization.pep.cfg)
Any ideas? Or maybe some sample?
With best regards
Christian
3 REPLIES
Employee

Re: Talend Authorization at Tomcat CXF Service

Hi Christian,
I think these two Posts from my Blog should be helpful to you:
janbernhardt.blogspot.de/2014/09/rest-security-saml-authentication-xacml.html
janbernhardt.blogspot.de/2014/10/using-talend-pdp-ouside-of-osgi.html
You basically need to add the following dependency to you project:
<dependency>
   <groupId>org.talend.esb.authorization</groupId>
   <artifactId>tesb-xacml-rt</artifactId>
   <version>5.4.1</version>
</dependency>

and then add the PEP Interceptor to your service:
<bean class="org.talend.esb.authorization.xacml.rt.pep.CXFXACMLAuthorizingInterceptor" id="XACMLInterceptor">
<property name="pdpAddress" value="" />
</bean>

Hope that helps!
Regards
Jan
Employee

Re: Talend Authorization at Tomcat CXF Service

Thanks,
that sounds good. I could not find it directly in the sources. Do you know what happens if you enable this interceptor, and your WS-policy in the service registry doesn't contain an authorization policy?
I think it will enforce authorization even if it is not enforced by the registry.
With best regards
Christian
Employee

Re: Talend Authorization at Tomcat CXF Service

Christian,
For SR + authorization policy use case, setting cxf property "tesb.pdp.address" on the provider endpoint would be OK, you don't need to create CXFXACMLAuthorizingInterceptor anymore, because org.talend.esb.authorization.xacml.rt.pep.AuthorizationPolicyInterceptorProvider will do it
                    CXFXACMLAuthorizingInterceptor authzInterceptor = 
new CXFXACMLAuthorizingInterceptor(true);
authzInterceptor.setRequireRoles(requireRoles);
authzInterceptor.setPdpAddress(pdpAddress);
authzInterceptor.setPolicyDecisionPoint(pdp);
message.getInterceptorChain().add(authzInterceptor);