Another factor in the discussion has to do with what you want to secure. Acegi is built to secure web applications. It does this by providing various ways to secure the HTTP communication.
The authorization and authentication concerns are addressed at the protocol layer first, and can then be extended into lower levels of the application via AOP and such. So, if you're interested in securing your application at that level, then CXF doesn't even really enter into the discussion. Meaning that you're going to put the Acegi filter out there, and configure it to protect whatever URLs your CXF services are published on. Acegi wouldn't know anything about CXF in that case. >From there you can decide in your endpoints how you consider the 'Principal'. You could retrieve it from Acegi without it being part of WS-Security and keep it loose that way. Or you could find some means of integrating Acegi into a WS-Security provider for CXF somehow. The application I am building will support both plain xml over http and soap over http. So in that case it makes sense for me to place security at the http layer, and avoid relying on something like WS-Security. On 9/17/07, Daniel Kulp <[EMAIL PROTECTED]> wrote: > > Interesting you should ask this..... I first heard about ACEGI last > week in a different conversation and have just started to look into it a > bit. I'd LOVE to have your input into this as to what you think is > needed or what you would consider good integration. > > Here are my thoughts so far: (keep in mind, I had never heard of ACEGI > till last week so I could be completely off base) > > 1) If you deploy your app as a war using the spring webapp stuff and > setting up to use aop for your service, it should just work. The acegi > filter should grab the basic-auth stuff, setup the security context > stuff it needs, and when we call invoke on the service, the acegi stuff > should grant/deny it. > > 2) Longer term, we could write an interceptor that grabs the > AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message and > fills in the acegi contexts with the details. That really wouldn't be > a huge amount of work to do. > > > Dan > > > > On Thursday 13 September 2007, mattmadhavan wrote: > > Hello, > > Can some one point me to some docs on the CXF and ACEGI integration or > > CXF and security like authentication and authorization. Some sample > > app will even be great. > > > > I found some blogs on the CXF+ACEGI, but it is Java centric. On the > > client side we need to set the which class handles the security on the > > Server side! But if I am using some other language for clients like C# > > it does n't seem to be the proper way! > > > > Any ideas will be greatly appreciated. > > > > Thanks > > Matt > > > > -- > J. Daniel Kulp > Principal Engineer > IONA > P: 781-902-8727 C: 508-380-7194 > [EMAIL PROTECTED] > http://www.dankulp.com/blog >
