Sergey Beryozkin [http://community.jboss.org/people/sergeyb] replied to the discussion
"JBWS-2210 : CXF Username Token JAAS integration" To view the discussion, visit: http://community.jboss.org/message/536529#536529 -------------------------------------------------------------- Hi Darran Thanks for the comments. > The approach of having two interceptors (one for authentication and one for > authorization) is probably the biggest part of this problem already solved. > > Where this becomes really apparent is where endpoints are deployed as EJB3 > session beans, in this case the container can already be configured to > perform authentication and authorization - as a deployed session bean can > potentially be called from multiple different clients it makes sense for the > authorization checks to remain with the bean. I see. Perhaps in some cases no authorization will be required, so just dropping an authorization interceptor will satisfy such requirements. > The point of these two comments really is to highlight that this is not just > a case of obtaining a Subject from whatever app server you are running in but > actually associating the users identity with the request so that is > propagates for further calls within the application server. Using the APIs > suggested from Anil should help with this so this is just something to keep > in mind. Sure. I saw the following code line in the JBoss Native : > securityAdaptor.pushSubjectContext(subject, principal, credential); this is probably to do with what you explained above. > A final feature related to this that I know there is user demand for would be > the ability to annotate the POJO endpoints with the same role annotations as > used on EJB3 sesstion beans - we were unable to do this for our Native > implementation of this as we had to support JAX-RPC as well as JAX-WS but as > this would be JAX-WS only this could be an option and may help simplify the > role configuration I was thinking of adding (at the CXF level) a utility AuthorizingInInterceptor subclass which would be configured with the name of the annotation such as @RolesAllowed that target POJO classes may be annotated with. This interceptor would introspect a given class and return a list of expected roles for a given method name. Perhaps it might help with addressing this requirement thanks, Sergey -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/536529#536529] Start a new discussion in JBoss Web Services Development at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2047]
_______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
