Hi Vishal.
Thanks for your detailed answer.
I used webservice a while ago when WS-Security was not a topic so correct me if
I'm wrong. Since I will use the JAX-WS Implementation with the WSIT extension
(which includes WS-Security) I can't use the Spring-WS implementation, do I? If
I understand you correctly, I have to implement some kind of filter that will
get the authentication information from the webservice request and put it to
the security context by myself. That's because WS-Security has no standard-way
to put e.g. username/password information to the webservice request? But what's
that all about the specification then? Shouldn't that be handled in a standard
way? Or are you talking about things like encryption of the message content
etc.? For me it would be enough for the first step to do "simple"
authentication/authorization on username/password/group level.
Sorry, If I have understood this completely wrong.
Regards,
Veit
Original-Nachricht
Datum: Fri, 15 Jun 2007 10:16:17 +1000
Von: Vishal Puri <[EMAIL PROTECTED]>
An: acegisecurity-developer@lists.sourceforge.net
Betreff: Re: [Acegisecurity-developer] Webservices and acegi
> Hi Veit
>
> You can use acegi (Spring Security) with your webservices
> infrastructure. As a matter of fact, the WS-Security implementation of
> excellent Spring Web Services provides integration with acegi (Spring
> Security). This means you can use your existing Acegi configuration for
> your SOAP service as well.
>
> There is not a generic implementation of such service available that
> "can take authentication information from the soap requests and put it
> automatically into the SecurityContext" simply because there isn't a
> single way to embedding authentication information in soap requests and
> most of the times soap-request is itself embedded in proprietary message
> types but nevertheless writing such thing would be as simple as this
>
> String userName = // xpath or other way to get username
>
> String passwd = // xpath or other way to get username
>
> String role = // xpath or other way to get role
>
> GrantedAuthorityImpl ga = new GrantedAuthorityImpl(role);
>
> GrantedAuthority[] roles = new GrantedAuthority[] {ga};
>
> Authentication authentication = new
> UsernamePasswordAuthenticationToken(userName, passwd, roles);
>
>
> SecurityContextHolder.getContext().setAuthentication(authentication);
>
> and then acegi's authentication mechanism can be used for password
> authentication.
>
> Also, have a look at reference docs of Spring Web Services for more
> information
> http://static.springframework.org/spring-ws/site/reference/html/security.html#d0e2678
>
> Regards,
> Vishal Puri
>
> Veit Guna wrote:
> > Hi.
> >
> > I'm planning a project where webservices (JAX-WS) will be used. As
> > security mechanismen Basic-Authentication over SSL and WS-Security
> > (WSIT) should be supported. Since I use Spring and used acegi before in
> > a JSF webapp successfully, I would like to go-on using acegi also for
> > this new project.
> >
> > Now my question is, has acegi WS support in any way? I think
> > Basic-Authentication over SSL should be no problem using standard url
> > pattern filtering, but what about WS-Security? Is there something that
> > can take authentication information from the soap requests and put it
> > automatically into the SecurityContext so it is available to the whole
> > application (Thread), not only in the webtier?
> >
> > Would be fine if acegi could be the single-point-of-security in my app.
> >
> > Regards,
> > Veit
> >
> >
> >
> -
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > ___
> > Home: http://acegisecurity.org
> > Acegisecurity-developer mailing list
> > Acegisecurity-developer@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
> >
>
>
> -
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http:/