You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by inteloid <ha...@gmail.com> on 2013/09/13 13:02:50 UTC

Re: @Secured @RolesAllowed integration

These examples are specific for Spring Security I assume? If so, what if I
use CXF Standard OAuth2 authorization?



--
View this message in context: http://cxf.547215.n5.nabble.com/Secured-RolesAllowed-integration-tp5730361p5733980.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: @Secured @RolesAllowed integration

Posted by Sergey Beryozkin <sb...@gmail.com>.

On 13/09/13 17:25, Sergey Beryozkin wrote:
> Hi
> On 13/09/13 12:02, inteloid wrote:
>> These examples are specific for Spring Security I assume? If so, what
>> if I
>> use CXF Standard OAuth2 authorization?
>>
> Using RolesAllowed or @Secured is orthogonal to the use of OAuth2 access
> tokens.
I should've said it is complementary to the use of access tokens.
Sergey

>
> When a client accesses a server resource with its access token, OAuth2
> filter will retrieve a registered Client - this entity can have
> UserSubject initialized.
>
> If UserSubject is there then the OAuth2 filter will use it to populate a
> current SecurityContext that can be used with for example CXF
> SimpleAuthorizingInterceptor to enforce RBAC.
>
> Cheers, Sergey
>
>
>
>>
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/Secured-RolesAllowed-integration-tp5730361p5733980.html
>>
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Re: @Secured @RolesAllowed integration

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi
On 13/09/13 12:02, inteloid wrote:
> These examples are specific for Spring Security I assume? If so, what if I
> use CXF Standard OAuth2 authorization?
>
Using RolesAllowed or @Secured is orthogonal to the use of OAuth2 access 
tokens.

When a client accesses a server resource with its access token, OAuth2 
filter will retrieve a registered Client - this entity can have 
UserSubject initialized.

If UserSubject is there then the OAuth2 filter will use it to populate a 
current SecurityContext that can be used with for example CXF 
SimpleAuthorizingInterceptor to enforce RBAC.

Cheers, Sergey

>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Secured-RolesAllowed-integration-tp5730361p5733980.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>