Spring security integration would be an interesting case that I hope can
be covered with my approach.
We could do the JAAS aauthentication with CXF without Spring Security
and then use Spring security just for Authorization.
The only thing we would need to do is provide a small module for Spring
Security that retrieves the JAAS Login Context and creates a Spring
Security context from it. Perhaps
this is even present somewhere in spring security as this case should
not be that uncommon. After that step Spring security would fully work.
This of course only can work if the Authentication phase can be covered
by JAAS. Which kind of authentication do you have in mind?
Christian
On 10.07.2014 13:38, Łukasz Dywicki wrote:
Hey Christian,
Great you brought this discussion. I already started working on
integration between spring security (SS) and cxf, mainly because JAAS
was not sufficient in all our cases and SS provides nice cover to it
such AccessDecisionManager session controlling and so on. As Oliver
pointed out - currently CXF is bound to HTTP headers or WSS4J
callbacks requiring re-sending credentials for each invocation which
really limit users while working on more advanced APIs. I would love
to see support for login/logout operations and session handling within
CXF.
There are couple issues which can not be solved with current CXF code
- for example AbstractAuthorizingInInterceptor forces presence of
security context even if subject is not necessary and method is not
annotated with any secure annotation or is annotated with @PermitAll.
Best regards,
Łukasz
--
[email protected]
Twitter: ldywicki
Blog: http://dywicki.pl
Code-House - http://code-house.org
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
