topic Re: Talend Authorization at Tomcat CXF Service in Talend Studio

Talend Authorization at Tomcat CXF Service

Anonymous — Sat, 16 Nov 2024 10:45:24 GMT

Hi.
We are able to run our services in tomcat too. Currently I have an issue with enabling authorization. Service Registry and Service Locator is enabled. Service Registry is configured to enforce Authentication and Authorization. All is working without authorization.
Unfortunately I cannot find a sample for tomcat deployment.
I think I have to do the following steps:
1. Add the Authorization dependency to my maven project.
<dependency>
            <groupId>org.talend.esb.authorization</groupId>
            <artifactId>tesb-xacml-pdp-api</artifactId>
            <version>${project.version}</version>
        </dependency>
2. Create and add some configuration for PEP
   But I cannot find there the "tomcat-style" configuration
I found only an OSGi sample. At OSGi configuration is done in different way. (org.talend.esb.authorization.pep.cfg)
Any ideas? Or maybe some sample?
With best regards
Christian

Re: Talend Authorization at Tomcat CXF Service

Anonymous — Thu, 03 Mar 2016 11:42:38 GMT

Hi Christian,
I think these two Posts from my Blog should be helpful to you:
janbernhardt.blogspot.de/2014/09/rest-security-saml-authentication-xacml.html
janbernhardt.blogspot.de/2014/10/using-talend-pdp-ouside-of-osgi.html
You basically need to add the following dependency to you project:

<dependency>
    <groupId>org.talend.esb.authorization</groupId>
    <artifactId>tesb-xacml-rt</artifactId>
    <version>5.4.1</version>
</dependency>

and then add the PEP Interceptor to your service:

<bean class="org.talend.esb.authorization.xacml.rt.pep.CXFXACMLAuthorizingInterceptor" id="XACMLInterceptor">
	<property name="pdpAddress" value="" />
</bean>

Hope that helps!
Regards
Jan

Re: Talend Authorization at Tomcat CXF Service

Anonymous — Thu, 03 Mar 2016 12:47:15 GMT

Thanks,
that sounds good. I could not find it directly in the sources. Do you know what happens if you enable this interceptor, and your WS-policy in the service registry doesn't contain an authorization policy?
I think it will enforce authorization even if it is not enforced by the registry.
With best regards
Christian

Re: Talend Authorization at Tomcat CXF Service

Anonymous — Tue, 17 May 2016 03:20:36 GMT

Christian,
For SR + authorization policy use case, setting cxf property "tesb.pdp.address" on the provider endpoint would be OK, you don't need to create CXFXACMLAuthorizingInterceptor anymore, because org.talend.esb.authorization.xacml.rt.pep.AuthorizationPolicyInterceptorProvider will do it

                    CXFXACMLAuthorizingInterceptor authzInterceptor = 
                        new CXFXACMLAuthorizingInterceptor(true);
                    authzInterceptor.setRequireRoles(requireRoles);
                    authzInterceptor.setPdpAddress(pdpAddress);
                    authzInterceptor.setPolicyDecisionPoint(pdp);
                    message.getInterceptorChain().add(authzInterceptor);