You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by easternwahoo <ja...@siemens.com> on 2009/11/09 16:12:46 UTC
Strategy for CXF integration with Spring Security
We have a need for application authorization using Spring security. There is
a project in google containing what looks like a solution:
http://code.google.com/p/cxf-spring-security/ . Is this slated for a future
release of CXF?
--
View this message in context: http://old.nabble.com/Strategy-for-CXF-integration-with-Spring-Security-tp26268002p26268002.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Strategy for CXF integration with Spring Security
Posted by Daniel Kulp <dk...@apache.org>.
Andreas,
Thanks for all the information about the stuff there at google. That's
really cool.
That said, as an Apache committer, you should be able to do all of this in the
CXF sandbox:
http://svn.apache.org/repos/asf/cxf/sandbox/
The sandbox is completely open to any Apache committer. If it's in there,
things like Apache JIRA's can be linked with svn commits, we can just "svn
merge" the changes over, etc....
It might be good if some of the below bullets could be broken into individual
JIRA's and dirs in the sandbox. It's possible that maybe one or two could be
merged over already.
Anyway, it's a thought. Not sure if you were aware of the sandbox or not.
Dan
On Mon November 9 2009 3:34:51 pm Andreas Veithen wrote:
> Indeed, after the discussion [1] on the mailing list around CXF and
> Spring Security I put the code into a temporary project on Google
> Code. Unfortunately, shortly afterwards I got absorbed by other things
> and the project got somewhat stalled. Here is what I have for the
> moment:
>
> - An implementation of a (server side) password callback handler that
> integrates WS-Security with Spring Security. It delegates
> authentication (for UsernameToken) to Spring Security.
> - A feature (in the sense of org.apache.cxf.feature) that sets up a
> service to enable annotation based authorization. It binds the
> Authentication object provided by the password callback handler (or
> any other interceptor) to the thread that executes the service
> implementation. This works with JAX-WS and JAX-RS.
> - An initial implementation of an interceptor that implements HTTP
> Basic Authentication. This can be used as an alternative for the
> traditional servlet filter based implementation in Spring Security.
> - A Spring namespace handler defining some custom configuration tags
> that make configuration easier and that nicely integrate with the
> custom tags defined by Spring Security.
>
> It's not yet ready for inclusion in CXF, but as I indicated in the
> description of the project in Google Code, it is of course the
> intention to do this. I think that if we have some users who test the
> code and provide feedback and with the help of some CXF people to
> guide us in writing systests and documentation, it should be possible
> to achieve that goal.
>
> Please explain your use case a bit further so that we can work
> together to see how we can implement that use case.
>
> Regards,
>
> Andreas
>
> [1]
> http://old.nabble.com/CXF-%2B-JAX-RS-%2B-Spring-Security-(Acegi)-for-autho
> rization-td25462665.html
>
> On Mon, Nov 9, 2009 at 16:54, Sergey Beryozkin <sb...@progress.com>
wrote:
> > Hi,
> >
> >> We have a need for application authorization using Spring security.
> >> There is
> >> a project in google containing what looks like a solution:
> >> http://code.google.com/p/cxf-spring-security/ . Is this slated for a
> >> future
> >> release of CXF?
> >
> > It's good to see Andreas actualy going ahead with this
> > project...Hopefully we'll get it integrated with CXF eventually, but I'm
> > not aware when it might happen.
> >
> > We have some simple Spring Security JAXRS system tests [1]. But they
> > might be of help even if you do JAX-WS. Though if you need to bridge
> > between WS-Security and Spring Security, then those tests won't give
> > enough info...Andreas and other users who've had some relevant experience
> > may help...
> >
> > cheers, Sergey
> >
> > [1]
> > http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/or
> >g/apache/cxf/systest/jaxrs/security/ (contains all the tests and
> > resources)
> >
> > corresponding web apps :
> >
> > [2]
> > http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resourc
> >es/jaxrs_security/ [3]
> > http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resourc
> >es/jaxrs_security_cglib/ [4]
> > http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resourc
> >es/jaxrs_security_no_annotations/
> >
> >> --
> >> View this message in context:
> >> http://old.nabble.com/Strategy-for-CXF-integration-with-Spring-Security-
> >>tp26268002p26268002.html Sent from the cxf-user mailing list archive at
> >> Nabble.com.
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: Strategy for CXF integration with Spring Security
Posted by Andreas Veithen <an...@gmail.com>.
On Tue, Jan 19, 2010 at 22:28, Scott Parkerson
<sc...@gmail.com> wrote:
>>
>> It's not yet ready for inclusion in CXF, but as I indicated in the
>> description of the project in Google Code, it is of course the
>> intention to do this. I think that if we have some users who test the
>> code and provide feedback and with the help of some CXF people to
>> guide us in writing systests and documentation, it should be possible
>> to achieve that goal.
>>
>
> Andreas:
>
> I'm interested in picking the CXF Spring Security work where you left it
> off. I'm mainly interested in making a build that would work within Apache
> Servicemix 4 (OSGi). This would currently mean taking the current pom and
> modifying it to build a bundle with the appropriate exports/imports in the
> Manifest.
Great. I added you as a committer to the Google Code project. Feel
free to commit changes. I will watch and review.
Hopefully I will find some time to continue working on this myself. It
has been on my todo list for too much time.
Andreas
> As for what still *needs* to be done before it's ready for inclusion in
> CXF... can anyone else in the CXF dev team shed some light on that? I've got
> some time to work on this, as we are going to be using Spring Security + CXF
> at my job.
>
> --sgp
>
Re: Strategy for CXF integration with Spring Security
Posted by Scott Parkerson <sc...@gmail.com>.
>
> It's not yet ready for inclusion in CXF, but as I indicated in the
> description of the project in Google Code, it is of course the
> intention to do this. I think that if we have some users who test the
> code and provide feedback and with the help of some CXF people to
> guide us in writing systests and documentation, it should be possible
> to achieve that goal.
>
Andreas:
I'm interested in picking the CXF Spring Security work where you left it
off. I'm mainly interested in making a build that would work within
Apache Servicemix 4 (OSGi). This would currently mean taking the current
pom and modifying it to build a bundle with the appropriate
exports/imports in the Manifest.
As for what still *needs* to be done before it's ready for inclusion in
CXF... can anyone else in the CXF dev team shed some light on that? I've
got some time to work on this, as we are going to be using Spring
Security + CXF at my job.
--sgp
Re: Strategy for CXF integration with Spring Security
Posted by Andreas Veithen <an...@gmail.com>.
Indeed, after the discussion [1] on the mailing list around CXF and
Spring Security I put the code into a temporary project on Google
Code. Unfortunately, shortly afterwards I got absorbed by other things
and the project got somewhat stalled. Here is what I have for the
moment:
- An implementation of a (server side) password callback handler that
integrates WS-Security with Spring Security. It delegates
authentication (for UsernameToken) to Spring Security.
- A feature (in the sense of org.apache.cxf.feature) that sets up a
service to enable annotation based authorization. It binds the
Authentication object provided by the password callback handler (or
any other interceptor) to the thread that executes the service
implementation. This works with JAX-WS and JAX-RS.
- An initial implementation of an interceptor that implements HTTP
Basic Authentication. This can be used as an alternative for the
traditional servlet filter based implementation in Spring Security.
- A Spring namespace handler defining some custom configuration tags
that make configuration easier and that nicely integrate with the
custom tags defined by Spring Security.
It's not yet ready for inclusion in CXF, but as I indicated in the
description of the project in Google Code, it is of course the
intention to do this. I think that if we have some users who test the
code and provide feedback and with the help of some CXF people to
guide us in writing systests and documentation, it should be possible
to achieve that goal.
Please explain your use case a bit further so that we can work
together to see how we can implement that use case.
Regards,
Andreas
[1] http://old.nabble.com/CXF-%2B-JAX-RS-%2B-Spring-Security-(Acegi)-for-authorization-td25462665.html
On Mon, Nov 9, 2009 at 16:54, Sergey Beryozkin <sb...@progress.com> wrote:
> Hi,
>
>> We have a need for application authorization using Spring security. There
>> is
>> a project in google containing what looks like a solution:
>> http://code.google.com/p/cxf-spring-security/ . Is this slated for a
>> future
>> release of CXF?
>
> It's good to see Andreas actualy going ahead with this project...Hopefully
> we'll get it integrated with CXF eventually, but I'm not aware when it might
> happen.
>
> We have some simple Spring Security JAXRS system tests [1]. But they might
> be of help even if you do JAX-WS. Though if you need to bridge between
> WS-Security and Spring Security, then those tests won't give enough
> info...Andreas and other users who've had some relevant experience may
> help...
>
> cheers, Sergey
>
> [1]
> http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/
> (contains all the tests and resources)
>
> corresponding web apps :
>
> [2]
> http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_security/
> [3]
> http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_security_cglib/
> [4]
> http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_security_no_annotations/
>
>> --
>> View this message in context:
>> http://old.nabble.com/Strategy-for-CXF-integration-with-Spring-Security-tp26268002p26268002.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>
Re: Strategy for CXF integration with Spring Security
Posted by Sergey Beryozkin <sb...@progress.com>.
Hi,
> We have a need for application authorization using Spring security. There is
> a project in google containing what looks like a solution:
> http://code.google.com/p/cxf-spring-security/ . Is this slated for a future
> release of CXF?
It's good to see Andreas actualy going ahead with this project...Hopefully we'll get it integrated with CXF eventually, but I'm not
aware when it might happen.
We have some simple Spring Security JAXRS system tests [1]. But they might be of help even if you do JAX-WS. Though if you need to
bridge between WS-Security and Spring Security, then those tests won't give enough info...Andreas and other users who've had some
relevant experience may help...
cheers, Sergey
[1] http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/ (contains all the
tests and resources)
corresponding web apps :
[2] http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_security/
[3] http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_security_cglib/
[4] http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_security_no_annotations/
> --
> View this message in context: http://old.nabble.com/Strategy-for-CXF-integration-with-Spring-Security-tp26268002p26268002.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>