On Fri February 20 2009 5:20:27 pm Christian Schneider wrote: > Hi Dan, > > thanks for this great hint. I did not know this was so easy. Is this > already described somewhere in the wiki? > If not I could write a page about it.
Probably not as it's part of the JAX-WS spec so is kind of "assumed" to be knowledge. That said, all the "security" related things need MUCH better documentation on the wiki. We need much more information about WS-Security, authentication, integration with Spring security, etc.... > Can I make this work with JMS too? I guess currently it will not work. I > know that it is possible in Tibco EMS to get the client user that sent > the message as a JMS header. > I guess we could use this to populate the context. ActiveMQ will > probably support something similar. On a quick search I found > http://activemq.apache.org/maven/activemq-core/apidocs/org/apache/activemq/ >broker/UserIDBroker.html . > As far as I read this could do the trick. If you can get the Principal (and roles if possible), then it's real easy to do. If you look in the Http destination, it basically creates an object that implements org.apache.cxf.security.SecurityContext (interface in API project) that wrappers the calls on the ServletRequest and sets that on the message. The WebServiceContext is really looking for that object on the message. Thus, if JMS provided an implementation of that interface that could get the information, then it should work identically. Dan > > Greetings > > Christian > > Daniel Kulp schrieb: > > On Fri February 20 2009 1:21:42 pm Slava Imeshev wrote: > >> Daniel, > >> > >> I am pretty new to CXF. I'd very grateful if you could you point me > >> in the right direction. Any examples/tutorials? > > > > It's pretty simple acutally. In your Impl bean, add a field: > > > > > > @Resource > > private WebServiceContext context; > > > > That will get the context injected. > > > > > > Then in your method, do: > > > > context.getUserPrincipal() > > or > > context.isUserInRole("blah"); > > > > As long as the user has authenticated (basic auth), then those methods > > should return the information that the app server returns from the > > HttpServletRequest. > > > > Dan > > > >> Regards, > >> > >> Slava Imeshev > >> > >>> -----Original Message----- > >>> From: Daniel Kulp [mailto:[email protected]] > >>> Sent: Friday, February 20, 2009 7:58 AM > >>> To: [email protected] > >>> Cc: Slava Imeshev > >>> Subject: Re: Authentication and authorization > >>> > >>> > >>> The JAX-WS spec kind of covers this. > >>> > >>> If you inject WebServiceContext, from the context, you can > >>> get the user > >>> principal and call the isUserInRole call which would call > >>> back into the tomcat > >>> auth modules. From that, you can act on it any way you please. > >>> > >>> Dan > >>> > >>> On Thu February 19 2009 5:58:12 pm Slava Imeshev wrote: > >>>> Hi all, > >>>> > >>>> I have an interesting use case that I am not sure how to approach. > >>>> > >>>> Consider a service MyService on Tomcat, pseudocode: > >>>> > >>>> MyService { > >>>> Set<Entry> getEntries(); > >>>> } > >>>> > >>>> For that service, if the requester did not authenticate, the > >>>> getEntries would return a limited list of entries, only > >>> > >>> those allowed > >>> > >>>> for "public" access. If the requestor did authenticate, the > >> > >> service > >> > >>>> returns an extended set. How can this be done with CXF? > >>>> > >>>> Regards, > >>>> > >>>> Slava Imeshev > >>> > >>> -- > >>> Daniel Kulp > >>> [email protected] > >>> http://www.dankulp.com/blog -- Daniel Kulp [email protected] http://www.dankulp.com/blog
