Hi there CXF 2.4 has a lot of security enhancements in supporting additional security tokens like Saml2 and BinarySecurityTokens etc.
IMHO, the service developer should not care what kind of security token has been sent by a caller to figure out who called him. JAX-WS defines the WebServiceContext to provide some basic information like principal of the caller and whether the caller is in a specific role or not. WS-Federation and WS-Trust provides much more options where the security token requestor can ask to put some specific claims into the issued security token - represented as an attribute statement in a saml token. Microsoft provides a flexible and extensible framework called Windows Identity Foundation [1] which allows to decouple the application code, the authorization logic and the security tokens sent on the wire and. First, I'm not an expert in spring security but it allows more fine grained authorization functionality than isUserInRole. But it needs the claims statements made by a third party like an STS. Wouldn't it make sense to somehow set up the spring security context within a CXF interceptor based on the claims made in a saml token? A claim consists of: ClaimType: URI, Namespace which tells you what the value of the claims mean Issuer: who issued the claim, usually an STS Value: value of the claim ValueType: type information Don't know whether spring security already has a java bean for that. What is your take on this? Thanks Oli [1] http://msdn.microsoft.com/en-us/library/ee748484.aspx
