Hi, My comment inline ------------- Freeman(Yue) Fang
Red Hat, Inc. FuseSource is now part of Red Hat Web: http://fusesource.com | http://www.redhat.com/ Twitter: freemanfang Blog: http://freemanfang.blogspot.com http://blog.sina.com.cn/u/1473905042 weibo: @Freeman小屋 On 2013-2-25, at 下午5:01, Jose María Zaragoza wrote: > Hi: > > I'm newbie by using CXF framework and I'd like to take the best choice > about security matters ( authorization/authentication ) > Maybe more expert users can help me. > > > I need to develop JAX-WS (SOAP/HTTP) and JAX-RS (XML/JSON/HTTP) > services and I need to get the client ID who is calling that web > service for loading custom config files by client profile/role . > Sometimes, it will be the same implementation but different prococol > binding ( I think CXF framework allows this feature ) > > > 1) > > I would like to use a standard authetication/authorization model. > I've seen WS-Security but I think that it only works with SOAP > messages, am I wrong ? could it be used with REST client/services? Yes, the UsernameToken ws-security stuff is based on SOAP message so it won't work with REST typically. > > > 2) > > Other choice is use HTTP Authentication , For example, I could use > Realm mechanism implemented by Tomcat to authenticate users > That is supported by SOAP/HTTP and REST/JSON//HTTP clients > > Could I retrieve client ID ( Principal ) from WebserviceContext with > HTTP Authentication ? > Do i need to get HTTPRequest to get client ID ? Yeah, you can use HTTP basic auth both for SOAP and REST service You can simply use org.apache.cxf.interceptor.security.JAASLoginInterceptor, which can retrieve username/password from Http Basic auth and create SecurityContext accordingly and delegate to your container jaas(tomcat, karaf, etc) > > > 3) > > As I told you, I want to load custom config files by client > profile/role calling a service > Could I to implement this by a interceptor and this interceptor > updates 'service call' with custom values ? > What is the best way to face this issue ? > yeah, an interceptor usually is the way to go > I want to perform something like Filters (Servlet) and update requests > context with custom info by client/user/role > > > Thanks > Best regards
