Forgot to mention that in case of JAX-WS endpoint there's no need to register out fault interceptors as shown in the linked beans.xml - it is only needed if JAX-RS do use interceptors (as opposed to CXF JAX-RS filters wrapping them) and thus want to enforce specific HTTP response codes, ex, 403, etc
Sergey On Wed, Dec 8, 2010 at 11:20 AM, Sergey Beryozkin <[email protected]>wrote: > Hi > > I've added a system test yesterday showing the combination of the > container-managed authentication (only) and CXF security interceptors > enforcing the RBAC authorization rules. It's a JAX-RS system test - but it > works equally well for both JAX-WS and JAX-RS endpoints. > > See > > > http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml > > Note that in case of service beans relying on the annotations such as > @RolesAllowed, it is just a matter of injecting a bean reference into the > instance of SecureAnnotationsInterceptor, this interceptor will build the > map of methods to roles and will enforce the authorization rules. > SimpleAuthorizingInterceptor is initialized with the map of method to roles > directly - more advanced cases can be dealt with by extending > AbstractAuthorizingInterceptor and overriding the method returning a list of > roles for a gievn method. > > This approach does not try to 'compete' with Spring Security - but it > offers an alternative option for users which for example use a > container-managed authentication, or when it is not easy or possible to do > the authorization with the help of SpringSecurity for whatever reasons > > cheers, Sergey > > > On Mon, Sep 13, 2010 at 1:32 PM, Sergey Beryozkin <[email protected]>wrote: > >> Hi >> >> I'd like to add that there's also another option which can work if the >> SecurityContext has already been >> initialized, specifically, CXF now ships >> anorg.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor >> which can be initialized with a Map of method names to allowed roles >> pairs, ex >> >> "doIt" : "user admin" >> "readIt" : "*" >> >> where "*" means 'permit all', which is equivalent to omitting a 'readIt' >> pair. Deny(All) can easily be supported by overriding getDenyRoles(). >> >> I was planning to add a SimpleAuthorizingInterceptor subclass which would >> check the annotations such as @RolesAllowed on specified classes, will try >> to do it when I get a chance. >> >> Just one more option to be aware of >> >> cheers, Sergey >> >> >> On Tue, Sep 7, 2010 at 5:37 PM, David Valeri <[email protected]> wrote: >> >>> If you are doing JAX-WS annotation [1], JAX-RS annotation [2], or POJO >>> based >>> services, it is fairly simple to wrap your implementation bean with >>> Spring >>> Security's method level security stuff [3]. That will give you operation >>> level RBAC. You can also do more fine grained RBAC in your business >>> logic >>> if you need to. >>> >>> For SOAP based services, the only gotcha here is that the CXF interceptor >>> (you will build this) that sets up the Spring Security SecurityContext >>> needs >>> to be done after the MAPAggregator and/or OneWayProcessorInterceptor as >>> these two interceptors can move processing of the request to another >>> thread >>> which will affect the way Spring Security works [4]. >>> >>> I can't vouch for the maturity of [1] or [2], but I have gotten this >>> approach to work in the past so it is very possible even if it turns out >>> that there isn't much available in the community. >>> >>> [1] http://code.google.com/p/cxf-spring-security/ >>> [2] >>> >>> http://cxf.547215.n5.nabble.com/Spring-Security-annotations-in-CXF-td561615. >>> html<http://cxf.547215.n5.nabble.com/Spring-Security-annotations-in-CXF-td561615.%0Ahtml> >>> [3] http://static.springsource.org/spring-security/site/ & >>> >>> http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns- >>> config.html#ns-method-security<http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns-%0Aconfig.html#ns-method-security> >>> [4] >>> >>> http://static.springsource.org/spring-security/site/docs/3.1.x/reference/tec >>> hnical-overview.html#d0e1605<http://static.springsource.org/spring-security/site/docs/3.1.x/reference/tec%0Ahnical-overview.html#d0e1605> >>> >>> >>> David Valeri >>> --------------------------- >>> http://davidvaleri.wordpress.com/ >>> http://twitter.com/DavidValeri >>> >>> >>> -----Original Message----- >>> From: devkatiyar [mailto:[email protected]] >>> Sent: Monday, September 06, 2010 8:33 PM >>> To: [email protected] >>> Subject: Role based Access Control (RBAC) for web services >>> >>> >>> Hi , >>> I have to develop role based access control for the securing my web >>> services >>> .. can any one suggest me best framework and some reference so that i can >>> implement >>> >>> >>> Thanks All. >>> -- >>> View this message in context: >>> >>> http://cxf.547215.n5.nabble.com/Role-based-Access-Control-RBAC-for-web-servi >>> ces-tp2805531p2805531.html<http://cxf.547215.n5.nabble.com/Role-based-Access-Control-RBAC-for-web-servi%0Aces-tp2805531p2805531.html> >>> Sent from the cxf-user mailing list archive at Nabble.com. >>> >>> >> >
