Hi All,
I am currently trying to implement a ReST service and was hoping to put
some security to it. Afaik, WS-security is already not an option since I
am not exposing a SOAP service (am I wrong here?).
I tried searching the forums for some hint on where to go. I was able to
find entries re: Http Basic and SSL. I was hoping to take advantage of
the username/pwd of Http Digest and use that later in the request
processing, e.g. check privilege on the object accessed.
I am already inclined to create a handler/interceptor to retrieve an
"Authorization" header param and perform the hash calculation and
comparison there. I am unsure of two things:
1. Is the custom interceptor/handler really necessary? As there might
already some built in function in CXF I missed.
2. Should I be expecting the Authorization as header param, i.e.
((Map<String,
String>)message.get(Message.PROTOCOL_HEADERS)).get("Authorization"); or
something else? I tried using Chris Dail's sample interceptor, but this
code always gets a null: AuthorizationPolicy policy =
message.get(AuthorizationPolicy.class). I am unable to test it properly
as I have no idea how to create the client-side. I tried following the
sample in httpClient sample code
(http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/examples/BasicAuthenticationExample.java?view=markup)
to no avail. The policy remains null.
Again, my thanks for your assistance.
Gabo
