Re: Authorization with CXF and WSS4J?

Wed, 29 Aug 2012 06:12:25 -0700

If you can have multiple WSDLs (more precisely, separate endpoints), one for each group of operations that you want available for a role or roles, then simple SSL can be used: http://www.jroller.com/gmazza/entry/ssl_for_web_services. For example, for an HR system where anyone can query basic statistics but only managers can do more detailed functionality, you'd have an endpoint for the basic stats attached to roles "basicuser, manager" and an endpoint for the advanced functionality attached to just users "manager".
You can probably go a step further with the UsernameToken profile (still over SSL) -- (Metro: http://www.jroller.com/gmazza/entry/metro_usernametoken_profile, CXF version: http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile) here, in the same WSDL you'd have multiple wsdl:portTypes, with each one defining a set of operations allowed for a particular role, which would each have its own wsdl:binding, and from there, a separate wsdl:port configuration item under wsdl:service. As security configuration is defined for each wsdl:port, you can define different server-side password validators for each different set of operations, allowing some users in for certain calls and rejecting others. 


Going to a WS-Trust model with a CXF STS is another option, but more 
work and perhaps overkill for your needs.  My blog entry handles the 
authentication portion 
(http://www.jroller.com/gmazza/entry/cxf_sts_tutorial) but clean ways of 
handling authorization based on roles I'd have to defer to others in 
this mailing list--you probably would have multiple options there 
(having the roles written in the token that the STS generates, or just 
the user ID info, for which the web service itself will then work with 
to determine authorization.)


HTH,
Glen

On 08/29/2012 04:38 AM, Mickael Marrache wrote:

Hi,

I'm looking for a way to implement web service authorization with CXF but I 
can't find anything on the CXF documentation, nor on the web. I would like to 
define roles, and to specify for each web method which roles are authorized...
I've looked at the different WS-* support in the doc, especially WS-Security, 
WS-SecurityPolicy and WS-Policy but I don't understand how these can be use for 
authorization.

Please, provide me some links in the case it is possible.

Thanks

























					Reply via email to