On 17/09/13 09:50, Faz wrote:
I would like to have a webservice designed using Apache CXF incorporating the authorization (method-level) with Java (along with database). Say for instance, an implemnation class A has two methods getData and addData. I would like to allow one set of role to access getData and other to access the addData method. What I need there is, one user passes the userid/service id from Client, the webservice authenticates the user and then when the method is invoked, based on the roles allowed the method should be either accessible or not. I would like to get these roles details from the database based on the logged-in-user. Can JAAS be used in this context? however I need the details for the roles from DB alone as there may be may 100s of method and having the @RolesAllowed specified in each method becomes cumbersome and unmanagable. Have googled through all the relevant topics ,haven't found any good solution for this.Please suggest me something on this.
CXF JAASLoginInInterceptor can handle the authentication and the SecurityContext population. SimpleAuthorizingInterceptor can manage the roles configuration, it has methodRolesMap & globalRoles properties, if a given method has no roles attached then globalRoles will be used.
http://cxf.apache.org/docs/security.html#Security-JAASLoginInterceptor http://cxf.apache.org/docs/security.html#Security-Authorization HTH Sergey
-- View this message in context: http://cxf.547215.n5.nabble.com/SOAP-Webservices-Authorization-with-Java-using-Apache-CXF-tp5734142.html Sent from the cxf-user mailing list archive at Nabble.com.
