You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by mattmadhavan <ma...@yahoo.com> on 2007/10/23 00:36:24 UTC
Re: Method level authentication?
Hi there!
Looks like you may have a complete solution which many a folks are looking
for! Can you please post a complete (example) solution? It will be great if
you could do so!
Thanks
Matt
BigEHokie wrote:
>
> If you're using Spring and WSS4J, I'd also recommend looking at Acegi.
> We're using Acegi's method interceptor along with method level
> annotations to secure web services based on role and other custom
> granted authorities. It's a fairly easy solution once you WSS4J and
> Acegi hooked together.
>
> On Tue, 2007-08-28 at 13:26 -0400, Daniel Kulp wrote:
>
>> Van,
>>
>> The answer is both yes and no.
>>
>> CXF doesn't have anything "built in" that would provide that capability.
>> However, it would be very easy to write an interceptor that would:
>>
>>
>> public class AuthorizationInterceptor extends
>> AbstractPhaseInterceptor<Message> {
>>
>> public AuthorizationInterceptor() {
>> super(Phase.USER_LOGICAL);
>> }
>>
>> public void handleMessage(Message message) throws Fault {
>> AuthorizationPolicy policy =
>> message.get(AuthorizationPolicy.class);
>> String opName = (String)message.put(Message.WSDL_OPERATION);
>>
>> //use username/passwords from AuthorizationPolicy to validate.
>> //Throw a fault or similar if processing should not continue.
>> }
>> }
>>
>>
>> There is also:
>> message.get(SecurityContext.class);
>> which can provide the principal object and checks for isUserInRole if
>> your deployment environment (tomcat/etc...) supports configurations of
>> users and roles on that level.
>>
>> Dan
>>
>>
>> On Tuesday 28 August 2007, vannguyen0 wrote:
>> > Hi,
>> >
>> > I'm fairly new to webservices and was wondering if CXF has the ability
>> > to restrict users to certain web services methods. If I have
>> > PerformProductSearch and UpdateProductInformation, I want to allow
>> > user A (or users that is in user group A) permission to only
>> > PerformProductSearch. But user B (or users that are in user group B)
>> > can access to both methods.
>> >
>> > Thanks,
>> >
>> > Van
>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Method-level-authentication--tf4342781.html#a13354095
Sent from the cxf-user mailing list archive at Nabble.com.