Dan, I'm giving this a shot and am having some difficulties with the AuthorizationInterceptor finding the AuthorizationPolicy object.
My Web Services looks something like this: @WebService(name = "productSearchService") @SOAPBinding(style = Style.RPC, use = Use.LITERAL) @WebFault(targetNamespace = "http://webservices.ur.com/types";, name = "productSearchException", faultBean = "com.ur.webservices.webfaults.ProductSearchServiceFault") @InInterceptors(interceptors={"com.ur.webservices.security.Authorization Interceptor"}) public interface ProductSearch { public Item getItem(String itemNumber) } Using the wsdl2java command, it created the java classes needed to call this web service: ProductSearchImplService ss = new ProductSearchImplService(wsdlURL, SERVICE_NAME); ProductSearchService port = ss.getProductSearchImplPort(); Client client = ClientProxy.getClient(port); HTTPConduit httpConduit = (HTTPConduit)client.getConduit(); AuthorizationPolicy policy = new AuthorizationPolicy(); policy.setPassword("vnguyen"); policy.setPassword("myPassword"); httpConduit.setAuthorization(policy); Calling port.getItem("1234"), brings me into the AuthorizationInterceptor... but both the AuthorizationPolicy and opName are null - I also assumed you meant to write: String opName = (String)message.get(Message.WSDL_OPERATION); Any ideas? Thanks, Van Nguyen United Rentals, Inc [EMAIL PROTECTED] (949) 225-6553 -----Original Message----- From: Daniel Kulp [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 28, 2007 10:27 AM To: [email protected] Cc: Van Nguyen Subject: Re: Method level authentication? Van, The answer is both yes and no. CXF doesn't have anything "built in" that would provide that capability. However, it would be very easy to write an interceptor that would: public class AuthorizationInterceptor extends AbstractPhaseInterceptor<Message> { public AuthorizationInterceptor() { super(Phase.USER_LOGICAL); } public void handleMessage(Message message) throws Fault { AuthorizationPolicy policy = message.get(AuthorizationPolicy.class); String opName = (String)message.put(Message.WSDL_OPERATION); //use username/passwords from AuthorizationPolicy to validate. //Throw a fault or similar if processing should not continue. } } There is also: message.get(SecurityContext.class); which can provide the principal object and checks for isUserInRole if your deployment environment (tomcat/etc...) supports configurations of users and roles on that level. Dan On Tuesday 28 August 2007, vannguyen0 wrote: > Hi, > > I'm fairly new to webservices and was wondering if CXF has the ability > to restrict users to certain web services methods. If I have > PerformProductSearch and UpdateProductInformation, I want to allow > user A (or users that is in user group A) permission to only > PerformProductSearch. But user B (or users that are in user group B) > can access to both methods. > > Thanks, > > Van -- J. Daniel Kulp Principal Engineer IONA P: 781-902-8727 C: 508-380-7194 [EMAIL PROTECTED] http://www.dankulp.com/blog
