Thanks for the ThreadLocal tip. We are planning to use HTTP basic authentication. I am still getting my head around CXF, so I have more questions:
1. At what point do I get the header? 2. What about case when caller has not authenticated at all? AFAIU authentication kicks-in before the request hits the processing servlet. Regards, Slava Imeshev > -----Original Message----- > From: derek.adams [mailto:[email protected]] > Sent: Friday, February 20, 2009 10:27 AM > To: [email protected] > Subject: RE: Authentication and authorization > > > Which authentication method are you using? If you are using > WS-Security via > the WSS4JInInterceptor, then you can set the authenticated > user in your > password callback class. Generally, the easiest method is to > set a thread > local variable (the method Spring security uses). If you are > using HTTP > basic authentication, I am pretty sure you would be able to > get the username > from the HTTP headers. > > > Slava Imeshev wrote: > > > > Hi Derek, > > > > Thank you. How will webservice implementation know who is > calling? And > > how will it know that in one case user has not been authenticated? > > > > Regards, > > > > Slava Imeshev > > > > P.S. There is no Spring in picture > > > > > > -- > View this message in context: > http://www.nabble.com/Authentication-and-authorization-tp22111 > 513p22125831.html > Sent from the cxf-user mailing list archive at Nabble.com. >
