How to configure a CXF based web service running in Fuse ESB to authenticate and authorize against JAAS realm defined in the ESB?

Resolution

CXF based Web Services can be configured for authentication and authorization.
See the Web Services Security Guide for additional documentation on this subject.

Authentication

When deploying such Web Service into Fuse ESB, it is desirable to authenticate the client against the JAAS realm already defined by the ESB. This realm has the name "karaf".
Both transport level based authentication (i.e. HTTP Basic or Digest authentication) as well as message level authentication (i.e. WSS-Security UsernameToken) are supported.
The main idea is to use the CXF JAASLoginInterceptor and configure it to use the "karaf" realm:

<bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
  <property name="contextName" value="karaf"/>
</bean>

This JAAS interceptor can be combined with the WSS4JInInterceptor that extracts security credentials from the WSS-Security SOAP header.
In this case it is necessary to also configure

<jaxws:properties>
  <entry key="ws-security.validate.token" value="false"/>
</jaxws:properties>

as otherwise the WSS4JInInterceptor tries to authenticate the extracted credentials by default. But this needs to be delegated to the JAASLoginInterceptor instead.

There is a demo in the Fuse ESB 7.1 release in examples/secure-soap that illustrates these concepts.

Authorization

Sometimes authentication is not enough and authorization is needed as well.
Authorization isn't well documented in CXF. It is briefly covered in the Security Guide.
One option to enable authorization is to use the SimpleAuthorizingInterceptor

<bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
  <property name="methodRolesMap">
    <map>
      <entry key="sayHi" value="web"/>
    </map>
  </property>
  <property name="globalRoles" value="admin web"/>
</bean>

and define which roles can invoke what WSDL operations within the interceptor configuration.
The methodRolesMap configuration lists the WSDL operations explicitly and names the required roles for invoking these operations. Note that wildcards are not supported, the operation names have to match exactly.
In order to declare default roles that are required for any WSDL operation, which is not explicitly listed in the methodRolesMap, one can use the globalRoles property and list the roles that are required by default (space separated).

When combining the SimpleAuthorizingInterceptor with the JAASLoginInterceptor some additional tuning is needed:

<bean id="authenticationInterceptor" class="org.apache.cxf.interceptor.security.JAASLoginInterceptor">
   <property name="contextName" value="karaf"/>
   <property name="roleClassifier" value="RolePrincipal"/>
   <property name="roleClassifierType" value="classname"/>
</bean>

The latter two properties are needed when authenticating against a JAAS realm that uses different Java types of security Principals as it is done by Karaf. See http://cxf.apache.org/docs/security.html for more info.

The full CXF configuration can be found here, while the entire demo can be obtained here. This same demo is also attached to this article.