If you use the servlet container's authentication and transport security
methods (through WEB-INF/web.xml) to force authentication (such as HTTP
BASIC Auth over HTTPS), you can simply put the following line in your
service implementation class.
/**
* The web-service context will be automatically injected by the
JAX-WS Container.
*/
@Resource
private WebServiceContext context;
//in your methods where you need to check the caller:
if (context.getUserPrincipal() != null)
{
log.info(getUserPrincipal().getName() + ":: just called our
methods");
}
Regards,
Josef
-----Original Message-----
From: Eamonn Dwyer [mailto:[email protected]]
Sent: 19 August 2009 12:57
To: [email protected]
Subject: RE: Determining Caller's Identity
Hi Stephen
Not quite what you want but maybe you could do something like this
inside an interceptor rather than inside your service.
TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class);
Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
... check the peer certificates and authorize based on this
Regards
Eamonn
> From: [email protected]
> To: [email protected]
> Subject: Determining Caller's Identity
> Date: Tue, 18 Aug 2009 14:37:12 -0400
>
> I have written and Apache CXF Web Service (WSDL First), inside the
> service I want to enforce authorization based on the identity of the
> client that called the service. I wanted to know if there was an API
> call I can make from the service implementation to obtain the client
> identity. For example if the client authenticate over HTTPS with a
> client certificate.
>
> --Steve
>
> Stephen Langella
> Co-Founder
> Inventrio, LLC
> www.inventrio.com
>
> [email protected]
>
>
>
>
>
>
_________________________________________________________________
See all the ways you can stay connected to friends and family
http://www.microsoft.com/windows/windowslive/default.aspx
