Indeed, after the discussion [1] on the mailing list around CXF and Spring Security I put the code into a temporary project on Google Code. Unfortunately, shortly afterwards I got absorbed by other things and the project got somewhat stalled. Here is what I have for the moment:
- An implementation of a (server side) password callback handler that integrates WS-Security with Spring Security. It delegates authentication (for UsernameToken) to Spring Security. - A feature (in the sense of org.apache.cxf.feature) that sets up a service to enable annotation based authorization. It binds the Authentication object provided by the password callback handler (or any other interceptor) to the thread that executes the service implementation. This works with JAX-WS and JAX-RS. - An initial implementation of an interceptor that implements HTTP Basic Authentication. This can be used as an alternative for the traditional servlet filter based implementation in Spring Security. - A Spring namespace handler defining some custom configuration tags that make configuration easier and that nicely integrate with the custom tags defined by Spring Security. It's not yet ready for inclusion in CXF, but as I indicated in the description of the project in Google Code, it is of course the intention to do this. I think that if we have some users who test the code and provide feedback and with the help of some CXF people to guide us in writing systests and documentation, it should be possible to achieve that goal. Please explain your use case a bit further so that we can work together to see how we can implement that use case. Regards, Andreas [1] http://old.nabble.com/CXF-%2B-JAX-RS-%2B-Spring-Security-(Acegi)-for-authorization-td25462665.html On Mon, Nov 9, 2009 at 16:54, Sergey Beryozkin <[email protected]> wrote: > Hi, > >> We have a need for application authorization using Spring security. There >> is >> a project in google containing what looks like a solution: >> http://code.google.com/p/cxf-spring-security/ . Is this slated for a >> future >> release of CXF? > > It's good to see Andreas actualy going ahead with this project...Hopefully > we'll get it integrated with CXF eventually, but I'm not aware when it might > happen. > > We have some simple Spring Security JAXRS system tests [1]. But they might > be of help even if you do JAX-WS. Though if you need to bridge between > WS-Security and Spring Security, then those tests won't give enough > info...Andreas and other users who've had some relevant experience may > help... > > cheers, Sergey > > [1] > http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/ > (contains all the tests and resources) > > corresponding web apps : > > [2] > http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_security/ > [3] > http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_security_cglib/ > [4] > http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_security_no_annotations/ > >> -- >> View this message in context: >> http://old.nabble.com/Strategy-for-CXF-integration-with-Spring-Security-tp26268002p26268002.html >> Sent from the cxf-user mailing list archive at Nabble.com. >> > >
