Daniel, Thanks for the response and the pointers. Appreciate it. So I guess you are saying that the BindingOperationInfo is not available at the time WSS4JInInterceptor is invoked but is available after that in later interceptors.
Thank you for your time. ----- Original Message ---- From: Daniel Kulp <[EMAIL PROTECTED]> To: [email protected] Cc: tedzo <[EMAIL PROTECTED]> Sent: Monday, September 22, 2008 12:40:22 PM Subject: Re: Support for authorization in CXF? On Monday 22 September 2008 2:56:27 pm tedzo wrote: > Hello, > Using CXF 2.1.1/tomcat 6 to expose Web services. I need to > 1) authenticate web service calls and > 2) authorize the call (i.e, ensure that caller has rights to execute the > call). > > I am trying to find out if there is a CXF recommended solution to > accomplish the authorization part of the problem. My first reaction is to > authenticate the call and then if that test passes, test whether user is > authorized to execute the call- all this happening within the > WSS4JInInterceptor's password callback class. Is there an another way to do > this? FYI, I need the username and the name of the method that call called > in order to authorize the call. You cannot do the authorization part within the callback as the operation is not known at that point. (the body could still be encrypted, for example) That would need to be done later. There are a couple ways to go: 1) Acegi/SpringSecurity method: In your callback (or in an interceptor after the WSS4JInInterceptor), grab the principal that WSS4J created and set that into the Acegi security contexts. The Acegi annotations and stuff on the endpoint can then control things. 2) Custom method: in an interceptor late in the chain, you can get the principal (with username/password/etc...) from the message and the BindingOperationInfo (to get the operation stuff) and perform any type of Authorization you want. -- Daniel Kulp [EMAIL PROTECTED] http://www.dankulp.com/blog
