How to configure a CXF based web service running in Fuse ESB to authenticate and authorize against JAAS realm defined in the ESB?

Solution Verified - Updated -


  • Fuse ESB Enterprise 7.x
  • Red hat JBoss Fuse
    • 6.0.0


  • We have a camel-cxf SOAP web service deployed as an end point using user name password token, We want to validate the user name and password using the karaf realm.
  • What configuration are need to make the WSS4J authenticate the user name password using the JAAS karaf realm in the container?

  • When deploying a CXF based web service that needs authentication and access control into Fuse ESB, it is desirable to authenticate against the JAAS realm already defined by the ESB. How can this be achieved?


CXF based Web Services can be configured for authentication and authorization.
See the Web Services Security Guide for additional documentation on this subject.


When deploying such Web Service into Fuse ESB, it is desirable to authenticate the client against the JAAS realm already defined by the ESB. This realm has the name "karaf".
Both transport level based authentication (i.e. HTTP Basic or Digest authentication) as well as message level authentication (i.e. WSS-Security UsernameToken) are supported.
The main idea is to use the CXF JAASLoginInterceptor and configure it to use the "karaf" realm:

<bean id="authenticationInterceptor" class="">
<property name="contextName" value="karaf"/>

This JAAS interceptor can be combined with the WSS4JInInterceptor that extracts security credentials from the WSS-Security SOAP header.
In this case it is necessary to also configure

<entry key="ws-security.validate.token" value="false"/>

as otherwise the WSS4JInInterceptor tries to authenticate the extracted credentials by default. But this needs to be delegated to the JAASLoginInterceptor instead.

There is a demo in the Fuse ESB 7.1 release in examples/secure-soap that illustrates these concepts.


Sometimes authentication is not enough and authorization is needed as well.
Authorization isn't well documented in CXF. It is briefly covered in the Security Guide.
One option to enable authorization is to use the SimpleAuthorizingInterceptor

<bean id="authorizationInterceptor" class="">
<property name="methodRolesMap">
<entry key="sayHi" value="web"/>
<property name="globalRoles" value="admin web"/>

and define which roles can invoke what WSDL operations within the interceptor configuration.
The methodRolesMap configuration lists the WSDL operations explicitly and names the required roles for invoking these operations. Note that wildcards are not supported, the operation names have to match exactly.
In order to declare default roles that are required for any WSDL operation, which is not explicitly listed in the methodRolesMap, one can use the globalRoles property and list the roles that are required by default (space separated).

When combining the SimpleAuthorizingInterceptor with the JAASLoginInterceptor some additional tuning is needed:

<bean id="authenticationInterceptor" class="">
<property name="contextName" value="karaf"/>
<property name="roleClassifier" value="RolePrincipal"/>
<property name="roleClassifierType" value="classname"/>

The latter two properties are needed when authenticating against a JAAS realm that uses different Java types of security Principals as it is done by Karaf. See for more info.

The full CXF configuration can be found here, while the entire demo can be obtained here. This same demo is also attached to this article.


This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.