You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by HamletDRC <ha...@gmail.com> on 2009/09/15 22:21:55 UTC
Using Spring JSR-250 based Authorization but not Authentication
I have a set of CXF services I want to have authorization provided on based
on Spring Security and the JSR-250 annotations. I do _not_ want to use the
Spring Authentication mechanisms... for authentication I have the
WSS4JInInterceptor and am quite happy with it.
Does anyone know how to use just the Spring authorization in CXF?
It should be as easy as adding this line of XML config to cxf.xml:
<security:global-method-security jsr250-annotations="enabled"/>
But when I do that I get bean not found errors for the
"_authenticationManager" bean. I don't want to specify an authentication
manager, I just want to specify an AccessDecisionManager.
Any ideas on reference material? I read the Spring Security user guide but
didn't feel like I knew what to do.
Thanks,
Hamlet D'Arcy
hamletdrc@gmail.com
-----
--
Hamlet D'Arcy
--
View this message in context: http://www.nabble.com/Using-Spring-JSR-250-based-Authorization-but-not-Authentication-tp25461114p25461114.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Using Spring JSR-250 based Authorization but not Authentication
Posted by Andreas Veithen <an...@gmail.com>.
I don't think this will work. You will always have to build an
Authentication object because the entire Spring Security framework is
based on this. It is also required to have an AuthenticationProvider
(that is why Spring complains about the missing _authenticationManager
bean). However, this does not mean that the AuthenticationProvider
really needs to do authentication. Actually, AuthenticationProvider
has two responsibilities:
- Authenticate the user (i.e. validate the credentials).
- Determine the authorities (roles) the user has.
If both aspects are handled elsewhere (by WSS4J), then the
AuthenticationProvider only needs to validate that the authentication
token is of the right type. Actually, how are you planning to
determine the authorities?
Andreas
On Wed, Sep 16, 2009 at 00:03, HamletDRC <ha...@gmail.com> wrote:
>
> I had planned on providing a custom AccessDecisionManager that made the
> decision off of something in the MessageContext rather than the
> authenticated principle.
>
>
>
> Christian Schneider wrote:
>>
>> I guess you will need some kind of spring security authentication. At
>> least so far that spring security knows the authenticated principal. How
>> else should it do the authorisation.
>>
>> Greetings
>>
>> Christian
>>
>>
>> HamletDRC schrieb:
>>> I have a set of CXF services I want to have authorization provided on
>>> based
>>> on Spring Security and the JSR-250 annotations. I do _not_ want to use
>>> the
>>> Spring Authentication mechanisms... for authentication I have the
>>> WSS4JInInterceptor and am quite happy with it.
>>>
>>> Does anyone know how to use just the Spring authorization in CXF?
>>>
>>> It should be as easy as adding this line of XML config to cxf.xml:
>>>
>>> <security:global-method-security jsr250-annotations="enabled"/>
>>>
>>> But when I do that I get bean not found errors for the
>>> "_authenticationManager" bean. I don't want to specify an authentication
>>> manager, I just want to specify an AccessDecisionManager.
>>>
>>> Any ideas on reference material? I read the Spring Security user guide
>>> but
>>> didn't feel like I knew what to do.
>>> Thanks,
>>> Hamlet D'Arcy
>>> hamletdrc@gmail.com
>>>
>>> -----
>>> --
>>> Hamlet D'Arcy
>>>
>>>
>>
>>
>>
>
>
> -----
> --
> Hamlet D'Arcy
>
> --
> View this message in context: http://www.nabble.com/Using-Spring-JSR-250-based-Authorization-but-not-Authentication-tp25461114p25462666.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: Using Spring JSR-250 based Authorization but not Authentication
Posted by Daniel Kulp <dk...@apache.org>.
Taking another approach, is there a way to take the information (like the
Prinicpal object or similar) out of the WSS4J results and feed that into the
Spring AuthenticationManager as an authenticated object? I think the
DecisionManager should work fine then.
Definitely not my area though. I could be completely blowing smoke. :-)
Dan
On Tue September 15 2009 6:03:31 pm HamletDRC wrote:
> I had planned on providing a custom AccessDecisionManager that made the
> decision off of something in the MessageContext rather than the
> authenticated principle.
>
> Christian Schneider wrote:
> > I guess you will need some kind of spring security authentication. At
> > least so far that spring security knows the authenticated principal. How
> > else should it do the authorisation.
> >
> > Greetings
> >
> > Christian
> >
> > HamletDRC schrieb:
> >> I have a set of CXF services I want to have authorization provided on
> >> based
> >> on Spring Security and the JSR-250 annotations. I do _not_ want to use
> >> the
> >> Spring Authentication mechanisms... for authentication I have the
> >> WSS4JInInterceptor and am quite happy with it.
> >>
> >> Does anyone know how to use just the Spring authorization in CXF?
> >>
> >> It should be as easy as adding this line of XML config to cxf.xml:
> >>
> >> <security:global-method-security jsr250-annotations="enabled"/>
> >>
> >> But when I do that I get bean not found errors for the
> >> "_authenticationManager" bean. I don't want to specify an authentication
> >> manager, I just want to specify an AccessDecisionManager.
> >>
> >> Any ideas on reference material? I read the Spring Security user guide
> >> but
> >> didn't feel like I knew what to do.
> >> Thanks,
> >> Hamlet D'Arcy
> >> hamletdrc@gmail.com
> >>
> >> -----
> >> --
> >> Hamlet D'Arcy
>
> -----
> --
> Hamlet D'Arcy
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: Using Spring JSR-250 based Authorization but not Authentication
Posted by HamletDRC <ha...@gmail.com>.
I had planned on providing a custom AccessDecisionManager that made the
decision off of something in the MessageContext rather than the
authenticated principle.
Christian Schneider wrote:
>
> I guess you will need some kind of spring security authentication. At
> least so far that spring security knows the authenticated principal. How
> else should it do the authorisation.
>
> Greetings
>
> Christian
>
>
> HamletDRC schrieb:
>> I have a set of CXF services I want to have authorization provided on
>> based
>> on Spring Security and the JSR-250 annotations. I do _not_ want to use
>> the
>> Spring Authentication mechanisms... for authentication I have the
>> WSS4JInInterceptor and am quite happy with it.
>>
>> Does anyone know how to use just the Spring authorization in CXF?
>>
>> It should be as easy as adding this line of XML config to cxf.xml:
>>
>> <security:global-method-security jsr250-annotations="enabled"/>
>>
>> But when I do that I get bean not found errors for the
>> "_authenticationManager" bean. I don't want to specify an authentication
>> manager, I just want to specify an AccessDecisionManager.
>>
>> Any ideas on reference material? I read the Spring Security user guide
>> but
>> didn't feel like I knew what to do.
>> Thanks,
>> Hamlet D'Arcy
>> hamletdrc@gmail.com
>>
>> -----
>> --
>> Hamlet D'Arcy
>>
>>
>
>
>
-----
--
Hamlet D'Arcy
--
View this message in context: http://www.nabble.com/Using-Spring-JSR-250-based-Authorization-but-not-Authentication-tp25461114p25462666.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Using Spring JSR-250 based Authorization but not Authentication
Posted by Christian Schneider <ch...@die-schneider.net>.
I guess you will need some kind of spring security authentication. At
least so far that spring security knows the authenticated principal. How
else should it do the authorisation.
Greetings
Christian
HamletDRC schrieb:
> I have a set of CXF services I want to have authorization provided on based
> on Spring Security and the JSR-250 annotations. I do _not_ want to use the
> Spring Authentication mechanisms... for authentication I have the
> WSS4JInInterceptor and am quite happy with it.
>
> Does anyone know how to use just the Spring authorization in CXF?
>
> It should be as easy as adding this line of XML config to cxf.xml:
>
> <security:global-method-security jsr250-annotations="enabled"/>
>
> But when I do that I get bean not found errors for the
> "_authenticationManager" bean. I don't want to specify an authentication
> manager, I just want to specify an AccessDecisionManager.
>
> Any ideas on reference material? I read the Spring Security user guide but
> didn't feel like I knew what to do.
> Thanks,
> Hamlet D'Arcy
> hamletdrc@gmail.com
>
> -----
> --
> Hamlet D'Arcy
>
>