Van,
The answer is both yes and no.
CXF doesn't have anything "built in" that would provide that capability.
However, it would be very easy to write an interceptor that would:
public class AuthorizationInterceptor extends
AbstractPhaseInterceptor<Message> {
public AuthorizationInterceptor() {
super(Phase.USER_LOGICAL);
}
public void handleMessage(Message message) throws Fault {
AuthorizationPolicy policy =
message.get(AuthorizationPolicy.class);
String opName = (String)message.put(Message.WSDL_OPERATION);
//use username/passwords from AuthorizationPolicy to validate.
//Throw a fault or similar if processing should not continue.
}
}
There is also:
message.get(SecurityContext.class);
which can provide the principal object and checks for isUserInRole if
your deployment environment (tomcat/etc...) supports configurations of
users and roles on that level.
Dan
On Tuesday 28 August 2007, vannguyen0 wrote:
> Hi,
>
> I'm fairly new to webservices and was wondering if CXF has the ability
> to restrict users to certain web services methods. If I have
> PerformProductSearch and UpdateProductInformation, I want to allow
> user A (or users that is in user group A) permission to only
> PerformProductSearch. But user B (or users that are in user group B)
> can access to both methods.
>
> Thanks,
>
> Van
--
J. Daniel Kulp
Principal Engineer
IONA
P: 781-902-8727 C: 508-380-7194
[EMAIL PROTECTED]
http://www.dankulp.com/blog
