Hi Guillaume, Thanks for the response. I've been poking around the code for JAAS in SM and it is looking very good!
>From what I can tell I should use JAAS at the web service BC for authentication and then use the secure broker which will act as a JAAS enforcement point for authorization. The next question is how can I associate authentication information with some random service engine I deploy so that they too can access a service engine I've locked down through a security policy. This bit wasn't clear to me from the code. Michael. -----Original Message----- From: Guillaume Nodet [mailto:[EMAIL PROTECTED] Sent: 28 July 2006 12:20 To: [email protected] Subject: Re: servicemix-http and service endpoints The only option I see while keeping WS-Addressing is to use the authentication / authorization mechanism to only allow some endpoint to be targeted for a given role. This is not documented yet, but you will find example in the junit tests. Else, you could use some kind of content based routing and have a better control on the targets you allow. On 7/27/06, Michael Studman <[EMAIL PROTECTED]> wrote: > > Hi, > > > > It seems that when using servicemix-http (M2) to add a WS binding to a > JBI service, a WS-Addressing "To" header will override the > service/endpoint name specified in the SU's configuration. This allows > sending a message to one JBI service's web service but have it > ultimately delivered to a totally different service. > > > > I need the WS-Addressing goodness so I can specify the > operation/interface name through "Action" header but would like to keep > a tight rein on exactly what I allow exposed as a web service. Can any > servicemix developers recommend how I do this? > > > > Michael. > > > -- Cheers, Guillaume Nodet
