> -----Original Message----- > From: Sergey Beryozkin [mailto:[email protected]] > Sent: Monday, January 18, 2010 10:01 AM > To: [email protected] > Subject: Re: help implementing secured resource methods? > > Hi > > <snip/> > > I've decided that I'm better off letting the container do the > authentication and simple authorization and then doing fine-tuned > authorization in my handler (my authorizations are data-based, not > method-based, so Spring Security doesn't help me). I finally got > through the role/group mapping stuff, so that my request with a valid > Authorization header got serviced without a 401 or 403. > > However, I'm also seeing that when I get into my handler, the > AuthorizationPolicy that I retrieve from the message is null. I can > see > the "Authorization" header right in the debugging. Is there something > else I have to do to get my principal/credentials automatically parsed > out so I don't have to do it manually? > > S.B : Can you try to set a breakpoint in > org.apache.cxf.transport.http.AstractHttpDestination#setHeaders ? This > is where AuthorizationPolicy is set...
It got there, and it appeared to do its work properly, but inside my handler, the following line got null: AuthorizationPolicy policy = (AuthorizationPolicy) message.getContent(AuthorizationPolicy.class); I stepped through this call, and the hashmap didn't have an AuthorizationPolicy object in it, even though I saw "setHeaders()" put it there. I'll try again and see if I can find any other clues. > But do you need AuthorizationPolicy which contains a decoded > name/password only, or do you need a Principal object ? When it gets down to it, I'm going to need to get the Principal object so I can do an LDAP query to get fine-grained group membership information. I don't really need the name/password.
