On Sat, Jun 9, 2012 at 6:15 AM, Lenny Primak <[email protected]> wrote: > Rest and SOAP WS are not the same thing. I use Shiro to secure REST WS as > well, but this is not the original question. > I too am looking for a solution to secure SOAP web services with Shiro but > have yet to find one.
You can certainly secure the SOAP endpoint with an URL-based security configuration. On the client side, you need a SOAP client implementation that allows supplying custom http headers. Nowadays most do, I've done this type of securing with Axis, XFire and CXF in the past. Consider whether you really need WS security, since using it comes with heavy performance penalty (e.g. http://en.wikipedia.org/wiki/WS-Security). Kalle > > > On Jun 9, 2012, at 8:02 AM, Paulo Pires <[email protected]> wrote: > >> I use Shiro to replace WS-Security. >> >> Simply, I create my REST WS and put annotations like >> @RequiresAuthentication or @RequiresRole (don't forget to check on using >> aspects for annotation support) and then define in shiro.ini the paths >> and respective filters, like: >> >> [urls] >> /rest/auth = ssl, rest >> /rest/admin = ssl, rest >> >> And that's it so far. /rest/auth authenticates and returns a cookie than >> it's sent on every other request. if you don't set it, for instance, >> when reaching /rest/admin which @RequiresAuthentication, you'll receive >> an 500 error. I'd like to have 401 or 403 but I'm not sure how to do it, >> yet. >> >> Cheers, >> PP >> >> On 09/06/12 09:22, ipas wrote: >>> Hi, How to use shiro to secure JAX-WS services? Is there any way to >>> integrate shiro with WS-Security or use instead of it? >>> >>> Thank you. >>> >>> -- >>> View this message in context: >>> http://shiro-user.582556.n2.nabble.com/JAX-WS-services-and-shiro-tp7577486.html >>> Sent from the Shiro User mailing list archive at Nabble.com. >> >> -- >> Paulo Pires >>
