Colm, Thanks for the response. I'll see what I can figure out by extending the base abstract interceptor. I have some additional requirements, including passing claims (not just the role) in the XACML request. So after looking at the source I think there is even more for me to do. If it's of any value, I'll share what I do. What is there now gives me a good starting point, so thanks for that.
- Gavin ------------------- Gavin J. Sutcliffe ________________________________ From: Colm O hEigeartaigh <[email protected]> To: [email protected]; Gavin Sutcliffe <[email protected]> Sent: Thursday, January 3, 2013 6:44 AM Subject: Re: doc or examples using XACML from WSDL Hi Gavin, I haven't documented the XACML stuff yet. I'm not sure if the functionality implemented as part of CXF-4657 meets your requirements exactly. Essentially what's there is to take a Principal name + roles from the runtime security context, and package it up in an XACML Request with an Action + Resource to a PDP for an authorization decision. This functionality is provided by an interceptor which is abstract, as there is no standard PDP interface. Therefore you need to subclass the interceptor to actually make the invocation to a PDP, which can be a JAX-WS/JAX-RS/etc service. Colm. On Sun, Dec 30, 2012 at 2:13 PM, Gavin Sutcliffe <[email protected]> wrote: Hello, > >I have an existing web service >that has some simple security policy defined in the WSDL, where it >expects a number of claims to come through from LDAP. That's all working fine, >but I'd like to pass those claims to a XACML PDP and not try to make the >decision there in the WSDL. > >I see some pieces of support for requests to a XACML PDP from a CXF web >service (CXF-4657) and I have looked at some of the source in systests and in >the org.apache.cxf.rt.security.xacml package. So I have a general >understanding of what is there, and the systests show how the messages flow. >What I'm missing is how to tie all this into a web service through WSDL and/or >config xml files. Is there any doc or example of that? Can I do the XACML >request initiation and decision consumption from within the WSDL? Or do I need >custom interceptors? > > >Thanks, > >- Gavin > > >------------------- >Gavin J. Sutcliffe -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
