You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by mattmadhavan <ma...@yahoo.com> on 2007/10/23 00:36:24 UTC

Re: Method level authentication?

Hi there!

Looks like you may have a complete solution which many a folks are looking
for! Can you please post a complete (example) solution? It will be great if
you could do so!


Thanks
Matt



BigEHokie wrote:
> 
> If you're using Spring and WSS4J, I'd also recommend looking at Acegi.
> We're using Acegi's method interceptor along with method level
> annotations to secure web services based on role and other custom
> granted authorities.  It's a fairly easy solution once you WSS4J and
> Acegi hooked together.
> 
> On Tue, 2007-08-28 at 13:26 -0400, Daniel Kulp wrote:
> 
>> Van,
>> 
>> The answer is both yes and no.
>> 
>> CXF doesn't have anything "built in" that would provide that capability.   
>> However, it would be very easy to write an interceptor that would:
>> 
>> 
>> public class AuthorizationInterceptor extends 
>> AbstractPhaseInterceptor<Message> {
>> 
>>     public AuthorizationInterceptor() {
>>         super(Phase.USER_LOGICAL);
>>     }
>> 
>>     public void handleMessage(Message message) throws Fault {
>>         AuthorizationPolicy policy = 
>>             message.get(AuthorizationPolicy.class);
>>         String opName = (String)message.put(Message.WSDL_OPERATION);
>> 
>> 	//use username/passwords from AuthorizationPolicy to validate.  
>>         //Throw a fault or similar if processing should not continue.
>>     }
>> }
>> 
>> 
>> There is also:
>> message.get(SecurityContext.class);
>> which can provide the principal object and checks for isUserInRole if 
>> your deployment environment (tomcat/etc...) supports configurations of 
>> users and roles on that level.
>> 
>> Dan
>> 
>> 
>> On Tuesday 28 August 2007, vannguyen0 wrote:
>> > Hi,
>> >
>> > I'm fairly new to webservices and was wondering if CXF has the ability
>> > to restrict users to certain web services methods.  If I have
>> > PerformProductSearch and UpdateProductInformation, I want to allow
>> > user A (or users that is in user group A) permission to only
>> > PerformProductSearch. But user B (or users that are in user group B)
>> > can access to both methods.
>> >
>> > Thanks,
>> >
>> > Van
>> 
>> 
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Method-level-authentication--tf4342781.html#a13354095
Sent from the cxf-user mailing list archive at Nabble.com.