If you are doing JAX-WS annotation [1], JAX-RS annotation [2], or POJO based services, it is fairly simple to wrap your implementation bean with Spring Security's method level security stuff [3]. That will give you operation level RBAC. You can also do more fine grained RBAC in your business logic if you need to.
For SOAP based services, the only gotcha here is that the CXF interceptor (you will build this) that sets up the Spring Security SecurityContext needs to be done after the MAPAggregator and/or OneWayProcessorInterceptor as these two interceptors can move processing of the request to another thread which will affect the way Spring Security works [4]. I can't vouch for the maturity of [1] or [2], but I have gotten this approach to work in the past so it is very possible even if it turns out that there isn't much available in the community. [1] http://code.google.com/p/cxf-spring-security/ [2] http://cxf.547215.n5.nabble.com/Spring-Security-annotations-in-CXF-td561615. html [3] http://static.springsource.org/spring-security/site/ & http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns- config.html#ns-method-security [4] http://static.springsource.org/spring-security/site/docs/3.1.x/reference/tec hnical-overview.html#d0e1605 David Valeri --------------------------- http://davidvaleri.wordpress.com/ http://twitter.com/DavidValeri -----Original Message----- From: devkatiyar [mailto:[email protected]] Sent: Monday, September 06, 2010 8:33 PM To: [email protected] Subject: Role based Access Control (RBAC) for web services Hi , I have to develop role based access control for the securing my web services .. can any one suggest me best framework and some reference so that i can implement Thanks All. -- View this message in context: http://cxf.547215.n5.nabble.com/Role-based-Access-Control-RBAC-for-web-servi ces-tp2805531p2805531.html Sent from the cxf-user mailing list archive at Nabble.com.
