If you're using Spring and WSS4J, I'd also recommend looking at Acegi.
We're using Acegi's method interceptor along with method level
annotations to secure web services based on role and other custom
granted authorities. It's a fairly easy solution once you WSS4J and
Acegi hooked together.
On Tue, 2007-08-28 at 13:26 -0400, Daniel Kulp wrote:
> Van,
>
> The answer is both yes and no.
>
> CXF doesn't have anything "built in" that would provide that capability.
> However, it would be very easy to write an interceptor that would:
>
>
> public class AuthorizationInterceptor extends
> AbstractPhaseInterceptor<Message> {
>
> public AuthorizationInterceptor() {
> super(Phase.USER_LOGICAL);
> }
>
> public void handleMessage(Message message) throws Fault {
> AuthorizationPolicy policy =
> message.get(AuthorizationPolicy.class);
> String opName = (String)message.put(Message.WSDL_OPERATION);
>
> //use username/passwords from AuthorizationPolicy to validate.
> //Throw a fault or similar if processing should not continue.
> }
> }
>
>
> There is also:
> message.get(SecurityContext.class);
> which can provide the principal object and checks for isUserInRole if
> your deployment environment (tomcat/etc...) supports configurations of
> users and roles on that level.
>
> Dan
>
>
> On Tuesday 28 August 2007, vannguyen0 wrote:
> > Hi,
> >
> > I'm fairly new to webservices and was wondering if CXF has the ability
> > to restrict users to certain web services methods. If I have
> > PerformProductSearch and UpdateProductInformation, I want to allow
> > user A (or users that is in user group A) permission to only
> > PerformProductSearch. But user B (or users that are in user group B)
> > can access to both methods.
> >
> > Thanks,
> >
> > Van
>
>
>
