Hi I have an existing web app using Spring Security and LDAP for authentication and authorization. Now we want some web services to be secured using UsernameToken and SSL.
I also want it to reuse the existing spring method level security, this user's role cannot use commit() for instance, this seems easy enough with the SecureAnnotationsInterceptor. I've also noticed in the new CXF that the password must be supplied to be evaluated, rather than it being provided for authentication. Now I can look up the password in LDAP, but aside from it not being plaintext like the web service user, it doesn't perform a login on LDAP of course and we'd like that history of logins and everything else LDAP provides. There's a project called cxf-spring-security<http://code.google.com/p/cxf-spring-security/>which hasn't been touched for a long time, I don't know if it's been integrated into CXF yet or will be. The CXF security docs[1] say you can use a custom "AbstractUsernameTokenInterceptor" and postpost the validation of the username token with "ws-security.ut.no-callbacks" and then do the custom authentication and Subject creation, but this class no longer exists, at least not in trunk nor the 2.4.4 release I'm using at the moment. I do have wss4j in the pom too. I also see the JAASLoginInterceptor in the docs but I'm using the LdapAuthenticationProvider and not a JAAS provider so I don't think that's relevant yet, but correct me if I'm wrong please. So to sum up I can use the callback no problem, but I don't see how I'm supposed to perform login yet. And once authenticated, I need the security context populated so that Spring can do method level security, but maybe here I'm misunderstanding and CXF is going to do this using SimpleAuthorizingInterceptor, which is populated instead from whatever SpringSecurity returns after authentication. [1] http://cxf.apache.org/docs/security.html Thanks in advance, Taariq
