Hi Kynan
here's a sample CustomInvoker :
http://svn.apache.org/repos/asf/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
At the moment filters/invokers can not get contexts like SecurityContext injected so it has to be created manually.
Or you can just get m.get(org.apache.cxf.security.SecurityContext.class) from
the message and get Principal from there.
Or would you like to work directly with HTTP headers ? They're availbale on the message too, you can also do
HttpHeaders headers = new HttpHeadersImpl(m) and use HttpHeaders...
Let me know please if you need more info
cheers, Sergey
----- Original Message -----
From: "Kynan Fraser" <[email protected]>
To: <[email protected]>
Sent: Thursday, July 02, 2009 9:44 AM
Subject: Re: Security in Jaxws/Jaxrs
Hi Sergey,
As a follow up to this, i'm trying to implement a basic http filter using a
request handler. Is there a way to obtain the http auth info? I can't find
it on any of the contexts or message.
Is there an example of a basic auth client and a request handler or custom
invoker handling the authentication?
Thanks,
Kynan
Sergey Beryozkin wrote:
Hi Vishal
I'm very sorry for a late reply - I was planning to reply much earlier but
then I got swamped with some work and forgot.
There're a number of options, depending on your preferences
1. Do it in the application code, in the resource class. This is may or
may not the best option. Typically this is something users prefer to do
outside of the application code. But then you may want to look at the
resource class which checks the injected SecurityContexts as the facade or
as an interceptor really which delegates to the actual application class
which may make this option more viable.
So in this case you have to have
@Resource WebServiceContext jaxwsContext;
@Context SecurityContext jaxrsSecurityContext;
declared in your code. Next, you need to figure out whether it's a JAXWS
or JAXRS invocation in progress, so you can do it like this
// not sure at the moment how exactly to get security context from jaxws
one
if (jaxwsContext.getSecurityContext() == null) {
checkPrincipal(jaxrsSecurityContext.getPrincipal());
} else {
checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
}
2. Use Spring security - we have some simple tests showing how
authentication and authorization can be done
3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
simply extends JAXRSInvoker and is registered as an invoker property)
where you can get all the info you need (method name, Principal, etc)
For JAXWS : do a custom CXF in Interceptor which will throw Fault if
needed.
Perhaps there're more options... Let me know please if you need more info
on any of the these options
Cheers, Sergey
Vishal.a wrote:
Hello All,
I have services written,that have both JaxRs and Jaxws.I have to
implement security on the services now.There are 2 things i need to do
1. Authentication - Using Basic Http Authentication
2. Authorization - Secure each and every method.
I have seen posts that show me how to do for either JaxRS or Jaxws,can
someone tell me what would be the best way to approach it for doing it
for both REST and SOAP.
Any help is appreciated.
Thanks,
Vishal
--
View this message in context:
http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24303305.html
Sent from the cxf-user mailing list archive at Nabble.com.
