hello, i'm investigating in securing my RESTful webservice with HTTP Basic authentication using the JAX-RS implementation of CXF.
i don't want to use spring, so i would prefer realizing the HTTP Basic authentication using annotations and java-code only. the manual states that one can check the HTTP security headers using a RequestHandler http://cxf.apache.org/docs/jax-rs.html#JAX-RS-CheckingHTTPsecurityheaders how can i programmatically register my custom RequestHandler? would it be possible to register a custom handler annotation-like - on a per-method basis? as i couldn't figure out, how-to register a RequestHandler in code, i currently used the following approach: use an AuthenticationInterceptor which extends JAXRSInInterceptor, similar to the example from http://chrisdail.com/2008/08/13/http-basic-authentication-with-apache-cxf-revisited/ when creating the service, i register the interceptor: JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean(); ... sf.getInInterceptors().add(new AuthenticationInterceptor()); sf.create(); using this approach, i can't control if the service should use the interceptor on a per-method basis... thank you very much for your suggestions and best regards from vienna, josef ps: my more high-level goal, would be to use the http-basic authentication against a user database. as REST should be stateless i suppose, that i have to check every time, the use requests. currently i implement this, checking the user database within the AuthenticationInterceptor. if authentication succeeds, a AppUser objects will be stored within the Message object, so my Service methods can access them using the MessageContext. any suggestions on this approach? ------------------------------- Powered by http://www.init7.net
