Hi, > 1. Can WS-Policy be used to control the access to a service, like limited > number > of access to a service in day and only particular users are allowed to access > the > service etc.
Limited number of access (throttling) cannot be specified by standard WS-Policy. Basically you can add proprietary policy assertion to activate custom interceptors doing that. There is also no standard policy assertion to authorization (allow/disallow access to service operations), but proprietary assertion can be introduced as well. > > 2. How Authorization can be achieved for a SOAP service. There are some options here: 1) Simple authorization (annotation or configuration based). Here you will specify which roles/users are allowed to access service methods. Look into http://cxf.apache.org/docs/security.html#Security-Authorization (SimpleAuthorizingInterceptor.java, SecureAnnotationsInterceptor.java and corresponded tests). 2) XACML partly supported in CXF. However, it is more involved solution. See AbstractXACMLAuthorizingInterceptor.java, https://issues.apache.org/jira/browse/CXF-4657 3) OAuth: http://cxf.apache.org/docs/jax-rs-oauth2.html Regards, Andrei. > > > > > -- > View this message in context: http://cxf.547215.n5.nabble.com/Security- > Related-Questions-tp5753340.html > Sent from the cxf-user mailing list archive at Nabble.com.
