> -----Original Message----- > From: Sergey Beryozkin [mailto:[email protected]] > Sent: Monday, January 18, 2010 10:01 AM > To: [email protected] > Subject: Re: help implementing secured resource methods? > > Hi > > <snip/> > > I've decided that I'm better off letting the container do the > authentication and simple authorization and then doing fine-tuned > authorization in my handler (my authorizations are data-based, not > method-based, so Spring Security doesn't help me). I finally got > through the role/group mapping stuff, so that my request with a valid > Authorization header got serviced without a 401 or 403. > > However, I'm also seeing that when I get into my handler, the > AuthorizationPolicy that I retrieve from the message is null. I can > see > the "Authorization" header right in the debugging. Is there something > else I have to do to get my principal/credentials automatically parsed > out so I don't have to do it manually? > > S.B : Can you try to set a breakpoint in > org.apache.cxf.transport.http.AstractHttpDestination#setHeaders ? This > is where AuthorizationPolicy is set...
Got it. The example on the CXF doc appears to be wrong (or the code is wrong). Instead of calling "getContent()", I had to call "get()". That gives the name/password, at least. > But do you need AuthorizationPolicy which contains a decoded > name/password only, or do you need a Principal object ? Will getting the Principal object make it easier to eventually get the LDAP group membership for that principal? That's my next step.
