One thing you could try looking at is the new samples/jax_rs/spring_security sample that is part of 2.3.0. (being voted on now) It uses the spring security annotations and such to control access to the various parts of the implementation. Might be a good starting point for you.
Dan On Thursday 30 September 2010 3:21:50 pm John Klassa wrote: > I'm trying to wrap my head around the best way to do this in a jax-rs > application, using CXF... > > What I'm trying to do is implement an authentication scheme, but in a way > that'll let me drop in something else when the powers that be determine > what the something else should be. My thinking is that if I isolate > everything in a request handler, and let resource class methods depend on > an injected credentials object, then the only thing that needs to change > to support a new authentication scheme is the request handler itself. > > I've looked at the src for CXF 2.2.10, to try to find examples of what I'm > trying to do. That hasn't gotten me very far, so my questions: > > A. Is this a reasonable, generally-accepted approach? If not, what do > folks recommend? > > B. How does one generally determine whether a request needs to be > authenticated? It comes down to what the user is trying to do, obviously, > but the spot where the user's intentions are known (i.e. in the resource > class method, where the work is being done) is much farther down the chain > than the request handler that needs to know whether to issue a challenge. > Two ideas come to mind: > > 1. If there's a way to tell what resource class method is going to be > invoked for the current request, before it's actually invoked, then > annotations on those class methods could give the request handler a hint > as to whether to require authentication. > > 2. Less elegantly, one could look at the HTTP method and URI and try to > figure it out from there... For example, maybe every POST is > authenticated, and so on. Again, less elegant. > > C. Is a "security context" the right thing to populate, so that resource > class methods can inject and make use of the information inserted by the > request handler? For my purposes, all I really need to know is who the > authenticated user is. Regardless, generally speaking, how does one > inject a value in a request handler, so as to make use of it in a resource > class method (in the same way that Context and PathParam and the like are > injected)? -- Daniel Kulp [email protected] http://dankulp.com/blog
