You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Barry Fitzgerald <ba...@gmail.com> on 2008/02/19 11:23:57 UTC
Restful Declarative security?
Hi all,
Just a general question - I'm using the JAX-RS implementation in CXF 2.1 for
writing services and I have a requirement to secure certain aspects of the
service.
For example - I want everyone to be able to read a user but only certain
people to update to a user. In a Restful these two calls would both be
passed to the same url (update a POST, read a GET)
Almost all security solutions I know simply protect URL's and can't protect
a url for POST's but not for GET's.
Has anyone else come across this problem? Any solutions/ workarounds?
Obviously I could protect the calls programmatically but this seems a step
backwards.
Thanks,
Barry
Re: Restful Declarative security?
Posted by Sergey Beryozkin <se...@iona.com>.
Hi
jsr-311 api 0.6 introduces a SecurityContext[1] to be available to a user code.
Using Acegi (provided Acegi is enhanced a bit) as originally suggested by Donal
seems like a more scalable solution in terms of the code maintenance.
Cheers, Sergey
[1] https://jsr311.dev.java.net/nonav/releases/0.6/index.html
----- Original Message -----
From: "Arundel, Donal" <do...@iona.com>
To: <cx...@incubator.apache.org>
Sent: Tuesday, February 19, 2008 4:18 PM
Subject: RE: Restful Declarative security?
Hi again Barry,
While I haven't tried this myself yet I imagine that an alternate
feasible approach would be to use the ACEGI AOP support for annotations
to allow you to associate roles with the JAX-RS implementation classes.
ACEGI can be used to do a certain level of Authentication and
authorization at the Servlet Filter level, limited to specifying Roles
for a given RESt resource as mentioned in my post below.
However ACEGI can also can be used to provide authorization level
support for implementation code via its use of AOP and annotations (see
the ACEGI docs for the Aspect-J and AOP-Alliance AOP implementations).
This approach would possibly allow you to achieve what you want without
needing to extend ACEGI.
Maybe have a look at:
http://www.acegisecurity.org/
Personally I'm not a huge fan of deployment specific annotations being
embedded directly in code though, I would prefer the approach mentioned
in my first mail. Security Roles are usually deployment specific data
and supplying the actual values via annotations has operational
consequences in terms of deployment, administration, and ease of
modification.
Obviously whether something is appropriate depends on many factors,
and it might be okay for you.
Cheers,
Donal
-----Original Message-----
From: Arundel, Donal [mailto:donal.arundel@iona.com]
Sent: 19 February 2008 12:50
To: cxf-user@incubator.apache.org
Subject: RE: Restful Declarative security?
Hi Barry,
I have recently noticed that it would be a nice extension to ACEGI to
support REST in this fashion. I personally think that URL pattern-based
RBAC ACL would work really nicely with ACEGI and REST.
ACEGI doesn't provide the ability to specify ACL based on the type of
HTTP operation involved.
This means that ACEGI doesn't naturally support REST out of the box,
if you care about modification versus view semantics (which you do).
The syntax ACEGI uses to specify the RBAC ACL patterns would need to be
overhauled a bit to support this in an ergonomic fashion.
It seems like this would be a very nice and very reusable little project
though :-)
Cheers,
Donal
-----Original Message-----
From: Barry Fitzgerald [mailto:barfitzgerald@gmail.com]
Sent: 19 February 2008 10:24
To: cxf-user@incubator.apache.org
Subject: Restful Declarative security?
Hi all,
Just a general question - I'm using the JAX-RS implementation in CXF 2.1
for
writing services and I have a requirement to secure certain aspects of
the
service.
For example - I want everyone to be able to read a user but only certain
people to update to a user. In a Restful these two calls would both be
passed to the same url (update a POST, read a GET)
Almost all security solutions I know simply protect URL's and can't
protect
a url for POST's but not for GET's.
Has anyone else come across this problem? Any solutions/ workarounds?
Obviously I could protect the calls programmatically but this seems a
step
backwards.
Thanks,
Barry
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
RE: Restful Declarative security?
Posted by "Arundel, Donal" <do...@iona.com>.
Hi again Barry,
While I haven't tried this myself yet I imagine that an alternate
feasible approach would be to use the ACEGI AOP support for annotations
to allow you to associate roles with the JAX-RS implementation classes.
ACEGI can be used to do a certain level of Authentication and
authorization at the Servlet Filter level, limited to specifying Roles
for a given RESt resource as mentioned in my post below.
However ACEGI can also can be used to provide authorization level
support for implementation code via its use of AOP and annotations (see
the ACEGI docs for the Aspect-J and AOP-Alliance AOP implementations).
This approach would possibly allow you to achieve what you want without
needing to extend ACEGI.
Maybe have a look at:
http://www.acegisecurity.org/
Personally I'm not a huge fan of deployment specific annotations being
embedded directly in code though, I would prefer the approach mentioned
in my first mail. Security Roles are usually deployment specific data
and supplying the actual values via annotations has operational
consequences in terms of deployment, administration, and ease of
modification.
Obviously whether something is appropriate depends on many factors,
and it might be okay for you.
Cheers,
Donal
-----Original Message-----
From: Arundel, Donal [mailto:donal.arundel@iona.com]
Sent: 19 February 2008 12:50
To: cxf-user@incubator.apache.org
Subject: RE: Restful Declarative security?
Hi Barry,
I have recently noticed that it would be a nice extension to ACEGI to
support REST in this fashion. I personally think that URL pattern-based
RBAC ACL would work really nicely with ACEGI and REST.
ACEGI doesn't provide the ability to specify ACL based on the type of
HTTP operation involved.
This means that ACEGI doesn't naturally support REST out of the box,
if you care about modification versus view semantics (which you do).
The syntax ACEGI uses to specify the RBAC ACL patterns would need to be
overhauled a bit to support this in an ergonomic fashion.
It seems like this would be a very nice and very reusable little project
though :-)
Cheers,
Donal
-----Original Message-----
From: Barry Fitzgerald [mailto:barfitzgerald@gmail.com]
Sent: 19 February 2008 10:24
To: cxf-user@incubator.apache.org
Subject: Restful Declarative security?
Hi all,
Just a general question - I'm using the JAX-RS implementation in CXF 2.1
for
writing services and I have a requirement to secure certain aspects of
the
service.
For example - I want everyone to be able to read a user but only certain
people to update to a user. In a Restful these two calls would both be
passed to the same url (update a POST, read a GET)
Almost all security solutions I know simply protect URL's and can't
protect
a url for POST's but not for GET's.
Has anyone else come across this problem? Any solutions/ workarounds?
Obviously I could protect the calls programmatically but this seems a
step
backwards.
Thanks,
Barry
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
RE: Restful Declarative security?
Posted by "Arundel, Donal" <do...@iona.com>.
Hi Barry,
I have recently noticed that it would be a nice extension to ACEGI to
support REST in this fashion. I personally think that URL pattern-based
RBAC ACL would work really nicely with ACEGI and REST.
ACEGI doesn't provide the ability to specify ACL based on the type of
HTTP operation involved.
This means that ACEGI doesn't naturally support REST out of the box,
if you care about modification versus view semantics (which you do).
The syntax ACEGI uses to specify the RBAC ACL patterns would need to be
overhauled a bit to support this in an ergonomic fashion.
It seems like this would be a very nice and very reusable little project
though :-)
Cheers,
Donal
-----Original Message-----
From: Barry Fitzgerald [mailto:barfitzgerald@gmail.com]
Sent: 19 February 2008 10:24
To: cxf-user@incubator.apache.org
Subject: Restful Declarative security?
Hi all,
Just a general question - I'm using the JAX-RS implementation in CXF 2.1
for
writing services and I have a requirement to secure certain aspects of
the
service.
For example - I want everyone to be able to read a user but only certain
people to update to a user. In a Restful these two calls would both be
passed to the same url (update a POST, read a GET)
Almost all security solutions I know simply protect URL's and can't
protect
a url for POST's but not for GET's.
Has anyone else come across this problem? Any solutions/ workarounds?
Obviously I could protect the calls programmatically but this seems a
step
backwards.
Thanks,
Barry
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland