Hi David
> S.B : Can you try to set a breakpoint in > org.apache.cxf.transport.http.AstractHttpDestination#setHeaders ? This > is where AuthorizationPolicy is set... Got it. The example on the CXF doc appears to be wrong (or the code is wrong). Instead of calling "getContent()", I had to call "get()". That gives the name/password, at least. > S.B : sorry, will fix the docs. I'll need to document some new features as soon as 2.2.6 gets released, so will do it then > But do you need AuthorizationPolicy which contains a decoded > name/password only, or do you need a Principal object ? Will getting the Principal object make it easier to eventually get the LDAP group membership for that principal? That's my next step. > S.B : not sure. If you add the following field to your RequestHandler : @Context private SecurityContext sc; // see [1] then you can get the user name and check the Principal if the user is in some logical group but you need to know the name of this group. If the only reason you need to get the LDAP group membership is to compare it against some known group value then injecting SecurityContext would be the best way forward. Just saw your follow-up message, indeed, you can get a SecurityContext from a MessageContext too Cheers, Sergey [1] https://jsr311.dev.java.net/nonav/releases/1.0/javax/ws/rs/core/Security Context.html
