Hi again Barry, While I haven't tried this myself yet I imagine that an alternate feasible approach would be to use the ACEGI AOP support for annotations to allow you to associate roles with the JAX-RS implementation classes.
ACEGI can be used to do a certain level of Authentication and authorization at the Servlet Filter level, limited to specifying Roles for a given RESt resource as mentioned in my post below. However ACEGI can also can be used to provide authorization level support for implementation code via its use of AOP and annotations (see the ACEGI docs for the Aspect-J and AOP-Alliance AOP implementations). This approach would possibly allow you to achieve what you want without needing to extend ACEGI. Maybe have a look at: http://www.acegisecurity.org/ Personally I'm not a huge fan of deployment specific annotations being embedded directly in code though, I would prefer the approach mentioned in my first mail. Security Roles are usually deployment specific data and supplying the actual values via annotations has operational consequences in terms of deployment, administration, and ease of modification. Obviously whether something is appropriate depends on many factors, and it might be okay for you. Cheers, Donal -----Original Message----- From: Arundel, Donal [mailto:[EMAIL PROTECTED] Sent: 19 February 2008 12:50 To: [email protected] Subject: RE: Restful Declarative security? Hi Barry, I have recently noticed that it would be a nice extension to ACEGI to support REST in this fashion. I personally think that URL pattern-based RBAC ACL would work really nicely with ACEGI and REST. ACEGI doesn't provide the ability to specify ACL based on the type of HTTP operation involved. This means that ACEGI doesn't naturally support REST out of the box, if you care about modification versus view semantics (which you do). The syntax ACEGI uses to specify the RBAC ACL patterns would need to be overhauled a bit to support this in an ergonomic fashion. It seems like this would be a very nice and very reusable little project though :-) Cheers, Donal -----Original Message----- From: Barry Fitzgerald [mailto:[EMAIL PROTECTED] Sent: 19 February 2008 10:24 To: [email protected] Subject: Restful Declarative security? Hi all, Just a general question - I'm using the JAX-RS implementation in CXF 2.1 for writing services and I have a requirement to secure certain aspects of the service. For example - I want everyone to be able to read a user but only certain people to update to a user. In a Restful these two calls would both be passed to the same url (update a POST, read a GET) Almost all security solutions I know simply protect URL's and can't protect a url for POST's but not for GET's. Has anyone else come across this problem? Any solutions/ workarounds? Obviously I could protect the calls programmatically but this seems a step backwards. Thanks, Barry ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland ---------------------------- IONA Technologies PLC (registered in Ireland) Registered Number: 171387 Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
