Hi, Like Sergei already answered (http://cxf.547215.n5.nabble.com/Fwd-Re-utilizing-tomcat-authentication-for-webservices-tc5742379.html ) , there are two different authentication approaches for SOAP web services: 1. Protocol based (HTTP Basic, Digest, Client-cert) 2. SOAP WS-Security based (UsernameToken, SAML, etc)
Using of (1) or (2) depends on your use case and requirements. (1) is lightweight and it is protocol specific. Credentials are transferred using HTTP headers (normally "Authorization"). (1) is documented in CXF here: https://cxf.apache.org/docs/client-http-transport-including-ssl-support.html (2) is protocol independent and more involved. Credentials and tokens are sent into SOAP headers. (2) can be easily combined with message level security features like message signature and encryption and normally controlled by WS-SecurityPolicy. More information regarding (2) you find here https://cxf.apache.org/docs/ws-security.html, http://cxf.apache.org/docs/ws-securitypolicy.html For sample I recommend to look into Glen Maza's tutorials: http://www.jroller.com/gmazza/entry/cxf_usernametoken_profile http://www.jroller.com/gmazza/entry/cxf_x509_profile Regards, Andrei. > -----Original Message----- > From: michaelh [mailto:[email protected]] > Sent: Freitag, 4. April 2014 09:09 > To: [email protected] > Subject: RE: utilizing tomcat authentication for webservices > > hi, > i think i've made some progress. > > found the following docs: > https://cxf.apache.org/docs/client-http-transport-including-ssl- > support.html#ClientHTTPTransport%28includingSSLsupport%29- > BasicAuthentication > > looks like the conduit is the way to go. Added the following to my client > call: > > HTTPConduit conduit = (HTTPConduit) client.getConduit(); HTTPClientPolicy > clientPolicy = new HTTPClientPolicy(); AuthorizationPolicy authorization = new > AuthorizationPolicy(); authorization.setAuthorizationType("BASIC"); > authorization.setUserName("xxx"); > authorization.setPassword("xxxx"); > > this works. would this be a 'best practice' approach? i tested this with > users in > different roles etc an only those users in the specified roles would access > the > webservice. works with ssl as well. the next step is to use client-cert > authentication. > > thanks, > Michael > > > > > > -- > View this message in context: http://cxf.547215.n5.nabble.com/utilizing- > tomcat-authentication-for-webservices-tp5742376p5742400.html > Sent from the cxf-user mailing list archive at Nabble.com.
