I'm trying to wrap my head around the best way to do this in a jax-rs
application, using CXF...
What I'm trying to do is implement an authentication scheme, but in a way
that'll let me drop in something else when the powers that be determine what
the something else should be. My thinking is that if I isolate everything in a
request handler, and let resource class methods depend on an injected
credentials object, then the only thing that needs to change to support a new
authentication scheme is the request handler itself.
I've looked at the src for CXF 2.2.10, to try to find examples of what I'm
trying to do. That hasn't gotten me very far, so my questions:
A. Is this a reasonable, generally-accepted approach? If not, what do folks
recommend?
B. How does one generally determine whether a request needs to be
authenticated? It comes down to what the user is trying to do, obviously, but
the spot where the user's intentions are known (i.e. in the resource class
method, where the work is being done) is much farther down the chain than the
request handler that needs to know whether to issue a challenge. Two ideas
come to mind:
1. If there's a way to tell what resource class method is going to be
invoked for the current request, before it's actually invoked, then annotations
on those class methods could give the request handler a hint as to whether to
require authentication.
2. Less elegantly, one could look at the HTTP method and URI and try to
figure it out from there... For example, maybe every POST is authenticated,
and so on. Again, less elegant.
C. Is a "security context" the right thing to populate, so that resource class
methods can inject and make use of the information inserted by the request
handler? For my purposes, all I really need to know is who the authenticated
user is. Regardless, generally speaking, how does one inject a value in a
request handler, so as to make use of it in a resource class method (in the
same way that Context and PathParam and the like are injected)?
