Yeah, that looks great. If you want to do authentication at the ws-security layer I'd do it in the fashion described there and by dkulp a few posts back...
On 9/21/07, mattmadhavan <[EMAIL PROTECTED]> wrote: > > Sorry everybody! I was out for couple of days and I had forgotten to add the > link! > > http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html > > Thanks > Matt > > > > Willem2 wrote: > > > > Hi Matt > > > > I did not see any url in your mail below :(. > > Could you send them again ? > > > > Willem. > > mattmadhavan wrote: > >> Hello All, > >> Please refer to this blog. Seems to be one of the most popular blog. > >> Please > >> look at the client code! (Test case). > >> > >> Any ideas? If some one has a complete ACEGI security solution and posts > >> it > >> it will be Awesome! Ray do you mind posting a complete sample. It will be > >> greatly beneficial to everybody. > >> > >> Matt > >> > >> > >> dkulp wrote: > >> > >>> Ray, > >>> > >>> On Monday 17 September 2007, Ray Krueger wrote: > >>> > >>>> The authorization and authentication concerns are addressed at the > >>>> protocol layer first, and can then be extended into lower levels of > >>>> the application via AOP and such. So, if you're interested in securing > >>>> your application at that level, then CXF doesn't even really enter > >>>> into the discussion. Meaning that you're going to put the Acegi filter > >>>> out there, and configure it to protect whatever URLs your CXF services > >>>> are published on. Acegi wouldn't know anything about CXF in that case. > >>>> > >>> This currently works fine if you use the CXFServlet approach and deploy > >>> your application as a war into some sort of Servlet container. > >>> > >>> However, if you do a J2SE standalone mode application, this is quite > >>> hard > >>> to do right now and is something we should make a bit easier. > >>> Currently, you would need to grab the raw Jetty listeners, use the Jetty > >>> API's to add the filters, etc.... (Note: this also applies if you want > >>> to secure your decoupled destination for a ws-rm/ws-a interaction) > >>> > >>> We probably should allow filters to be added via the spring > >>> configuration > >>> for the destination. That would simplify things quite a bit. > >>> > >>> > >>>> From there you can decide in your endpoints how you consider the > >>>> 'Principal'. You could retrieve it from Acegi without it being part of > >>>> WS-Security and keep it loose that way. Or you could find some means > >>>> of integrating Acegi into a WS-Security provider for CXF somehow. > >>>> > >>> This was the interceptor I mentioned before. An interceptor after the > >>> WS-Sec interceptors would have access to the stuff decoded from the > >>> message. The interceptor could create the principal object and pass > >>> that into Acegi. > >>> > >>> Dan > >>> > >>> > >>> > >>>> The application I am building will support both plain xml over http > >>>> and soap over http. So in that case it makes sense for me to place > >>>> security at the http layer, and avoid relying on something like > >>>> WS-Security. > >>>> > >>>> On 9/17/07, Daniel Kulp <[EMAIL PROTECTED]> wrote: > >>>> > >>>>> Interesting you should ask this..... I first heard about ACEGI > >>>>> last week in a different conversation and have just started to look > >>>>> into it a bit. I'd LOVE to have your input into this as to what > >>>>> you think is needed or what you would consider good integration. > >>>>> > >>>>> Here are my thoughts so far: (keep in mind, I had never heard of > >>>>> ACEGI till last week so I could be completely off base) > >>>>> > >>>>> 1) If you deploy your app as a war using the spring webapp stuff and > >>>>> setting up to use aop for your service, it should just work. The > >>>>> acegi filter should grab the basic-auth stuff, setup the security > >>>>> context stuff it needs, and when we call invoke on the service, the > >>>>> acegi stuff should grant/deny it. > >>>>> > >>>>> 2) Longer term, we could write an interceptor that grabs the > >>>>> AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message > >>>>> and fills in the acegi contexts with the details. That really > >>>>> wouldn't be a huge amount of work to do. > >>>>> > >>>>> > >>>>> Dan > >>>>> > >>>>> On Thursday 13 September 2007, mattmadhavan wrote: > >>>>> > >>>>>> Hello, > >>>>>> Can some one point me to some docs on the CXF and ACEGI > >>>>>> integration or CXF and security like authentication and > >>>>>> authorization. Some sample app will even be great. > >>>>>> > >>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On > >>>>>> the client side we need to set the which class handles the > >>>>>> security on the Server side! But if I am using some other language > >>>>>> for clients like C# it does n't seem to be the proper way! > >>>>>> > >>>>>> Any ideas will be greatly appreciated. > >>>>>> > >>>>>> Thanks > >>>>>> Matt > >>>>>> > >>>>> -- > >>>>> J. Daniel Kulp > >>>>> Principal Engineer > >>>>> IONA > >>>>> P: 781-902-8727 C: 508-380-7194 > >>>>> [EMAIL PROTECTED] > >>>>> http://www.dankulp.com/blog > >>>>> > >>> > >>> -- > >>> J. Daniel Kulp > >>> Principal Engineer > >>> IONA > >>> P: 781-902-8727 C: 508-380-7194 > >>> [EMAIL PROTECTED] > >>> http://www.dankulp.com/blog > >>> > >>> > >>> > >> > >> > > > > > > -- > View this message in context: > http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12828547 > Sent from the cxf-user mailing list archive at Nabble.com. > >
