Hi Andrei, Thanks for your helpful answer.
I'm trying to use the Interceptors provided by CXF but I get the following issue: In the WSS4JInInterceptor, when the method doResults is called to construct the security result, at line 482, the condition o.get(WSSecurityEngineResult.TAG_SAML_ASSERTION) != null is false for me, so the createSecurityContext method is called without the roles (which causes to call createSecurityContext with null roles). So, when sc.isUserInRole(role) is called in AbstractAuthorizingInterceptor at line 100, it always returns false, so the call to isUserInRole(sc, expectedRoles, false) in AbstractAuthorizingInterceptor at line 84 also returns false, and the client is then never authorized. I know that I'm missing something here related to the TAG_SAML_ASSERTION. Maybe the caller has to provide its role inside the SOAP message? If yes, I don't understand why, the caller should only know its identity, the roles is more for the server side which checks if the caller's identity is associated to an expected roles. Thanks, Mickael -----Original Message----- From: Andrei Shakirin [mailto:[email protected]] Sent: Wednesday, August 29, 2012 4:36 PM To: [email protected] Subject: RE: Authorization with CXF and WSS4J? Hi Mickael, You can use CXF AbstractAuthorizingInInterceptor and SimpleAuthorizingInInterceptor as basis: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java Idea is the following: SimpleAuthorizingInInterceptor is configured with methods-roles map. Interceptor validates does user in given role have permissions to accessing method. There is the sample configuration in http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml It can be a good starting point for your task. Regards, Andrei. -----Original Message----- From: Mickael Marrache [mailto:[email protected]] Sent: Mittwoch, 29. August 2012 10:39 To: [email protected] Subject: Authorization with CXF and WSS4J? Hi, I'm looking for a way to implement web service authorization with CXF but I can't find anything on the CXF documentation, nor on the web. I would like to define roles, and to specify for each web method which roles are authorized... I've looked at the different WS-* support in the doc, especially WS-Security, WS-SecurityPolicy and WS-Policy but I don't understand how these can be use for authorization. Please, provide me some links in the case it is possible. Thanks
