Hi I've added a system test yesterday showing the combination of the container-managed authentication (only) and CXF security interceptors enforcing the RBAC authorization rules. It's a JAX-RS system test - but it works equally well for both JAX-WS and JAX-RS endpoints.
See http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml Note that in case of service beans relying on the annotations such as @RolesAllowed, it is just a matter of injecting a bean reference into the instance of SecureAnnotationsInterceptor, this interceptor will build the map of methods to roles and will enforce the authorization rules. SimpleAuthorizingInterceptor is initialized with the map of method to roles directly - more advanced cases can be dealt with by extending AbstractAuthorizingInterceptor and overriding the method returning a list of roles for a gievn method. This approach does not try to 'compete' with Spring Security - but it offers an alternative option for users which for example use a container-managed authentication, or when it is not easy or possible to do the authorization with the help of SpringSecurity for whatever reasons cheers, Sergey On Mon, Sep 13, 2010 at 1:32 PM, Sergey Beryozkin <[email protected]>wrote: > Hi > > I'd like to add that there's also another option which can work if the > SecurityContext has already been > initialized, specifically, CXF now ships > anorg.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor > which can be initialized with a Map of method names to allowed roles pairs, > ex > > "doIt" : "user admin" > "readIt" : "*" > > where "*" means 'permit all', which is equivalent to omitting a 'readIt' > pair. Deny(All) can easily be supported by overriding getDenyRoles(). > > I was planning to add a SimpleAuthorizingInterceptor subclass which would > check the annotations such as @RolesAllowed on specified classes, will try > to do it when I get a chance. > > Just one more option to be aware of > > cheers, Sergey > > > On Tue, Sep 7, 2010 at 5:37 PM, David Valeri <[email protected]> wrote: > >> If you are doing JAX-WS annotation [1], JAX-RS annotation [2], or POJO >> based >> services, it is fairly simple to wrap your implementation bean with Spring >> Security's method level security stuff [3]. That will give you operation >> level RBAC. You can also do more fine grained RBAC in your business logic >> if you need to. >> >> For SOAP based services, the only gotcha here is that the CXF interceptor >> (you will build this) that sets up the Spring Security SecurityContext >> needs >> to be done after the MAPAggregator and/or OneWayProcessorInterceptor as >> these two interceptors can move processing of the request to another >> thread >> which will affect the way Spring Security works [4]. >> >> I can't vouch for the maturity of [1] or [2], but I have gotten this >> approach to work in the past so it is very possible even if it turns out >> that there isn't much available in the community. >> >> [1] http://code.google.com/p/cxf-spring-security/ >> [2] >> >> http://cxf.547215.n5.nabble.com/Spring-Security-annotations-in-CXF-td561615. >> html<http://cxf.547215.n5.nabble.com/Spring-Security-annotations-in-CXF-td561615.%0Ahtml> >> [3] http://static.springsource.org/spring-security/site/ & >> >> http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns- >> config.html#ns-method-security<http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns-%0Aconfig.html#ns-method-security> >> [4] >> >> http://static.springsource.org/spring-security/site/docs/3.1.x/reference/tec >> hnical-overview.html#d0e1605<http://static.springsource.org/spring-security/site/docs/3.1.x/reference/tec%0Ahnical-overview.html#d0e1605> >> >> >> David Valeri >> --------------------------- >> http://davidvaleri.wordpress.com/ >> http://twitter.com/DavidValeri >> >> >> -----Original Message----- >> From: devkatiyar [mailto:[email protected]] >> Sent: Monday, September 06, 2010 8:33 PM >> To: [email protected] >> Subject: Role based Access Control (RBAC) for web services >> >> >> Hi , >> I have to develop role based access control for the securing my web >> services >> .. can any one suggest me best framework and some reference so that i can >> implement >> >> >> Thanks All. >> -- >> View this message in context: >> >> http://cxf.547215.n5.nabble.com/Role-based-Access-Control-RBAC-for-web-servi >> ces-tp2805531p2805531.html<http://cxf.547215.n5.nabble.com/Role-based-Access-Control-RBAC-for-web-servi%0Aces-tp2805531p2805531.html> >> Sent from the cxf-user mailing list archive at Nabble.com. >> >> >
