You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by tedzo <te...@yahoo.com> on 2008/09/22 20:56:27 UTC

Support for authorization in CXF?

Hello,
Using CXF 2.1.1/tomcat 6 to expose Web services. I need to 
1) authenticate web service calls and 
2) authorize the call (i.e, ensure that caller has rights to execute the call).

I am trying to find out if there is a CXF recommended solution to accomplish the authorization part of the problem. My first reaction is to authenticate the call and then if that test passes, test whether user is authorized to execute the call- all this happening within the WSS4JInInterceptor's password callback class. Is there an another way to do this? FYI, I need the username and the name of the method that call called in order to authorize the call.

Thanks for your time.

Re: Support for authorization in CXF?

Posted by Daniel Kulp <dk...@apache.org>.

On Monday 22 September 2008 2:56:27 pm tedzo wrote:
> Hello,
> Using CXF 2.1.1/tomcat 6 to expose Web services. I need to
> 1) authenticate web service calls and
> 2) authorize the call (i.e, ensure that caller has rights to execute the
> call).
>
> I am trying to find out if there is a CXF recommended solution to
> accomplish the authorization part of the problem. My first reaction is to
> authenticate the call and then if that test passes, test whether user is
> authorized to execute the call- all this happening within the
> WSS4JInInterceptor's password callback class. Is there an another way to do
> this? FYI, I need the username and the name of the method that call called
> in order to authorize the call.

You cannot do the authorization part within the callback as the operation is 
not known at that point.  (the body could still be encrypted, for example)   
That would need to be done later.   

There are a couple ways to go:
1) Acegi/SpringSecurity method:  In your callback (or in an interceptor after 
the WSS4JInInterceptor), grab the principal that WSS4J created and set that 
into the Acegi security contexts.   The Acegi annotations and stuff on the 
endpoint can then control things.

2) Custom method: in an interceptor late in the chain, you can get the 
principal (with username/password/etc...) from the message and the 
BindingOperationInfo (to get the operation stuff) and perform any type of 
Authorization you want.

-- 
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog