Re: [jboss-dev-forums] [JBoss Web Services Development] - JBWS-2210 : CXF Username Token JAAS integration - jboss-dev-forums

Friday, 9 April 2010

Sergey Beryozkin [http://community.jboss.org/people/sergeyb] replied to the discussion

"JBWS-2210 : CXF Username Token JAAS integration"

To view the discussion, visit: http://community.jboss.org/message/536529#536529

--------------------------------------------------------------
Hi Darran

Thanks for the comments.

...
 The approach of having two interceptors (one for authentication and
one for authorization) is probably the biggest part of this problem already solved.

 Where this becomes really apparent is where endpoints are deployed as EJB3 session beans,
in this case the container can already be configured to perform authentication and
authorization - as a deployed session bean can potentially be called from multiple
different clients it makes sense for the authorization checks to remain with the bean.

I see. Perhaps in some cases no authorization will be required, so just dropping an
authorization interceptor will satisfy such requirements.

...
 The point of these two comments really is to highlight that this is
not just a case of obtaining a Subject from whatever app server you are running in but
actually associating the users identity with the request so that is propagates for further
calls within the application server.  Using the APIs suggested from Anil should help with
this so this is just something to keep in mind. 
Sure. I saw the following code line in the JBoss Native :

...
 securityAdaptor.pushSubjectContext(subject, principal, credential);

this is probably to do with what you explained above.

...
 A final feature related to this that I know there is user demand for
would be the ability to annotate the POJO endpoints with the same role annotations as used
on EJB3 sesstion beans - we were unable to do this for our Native implementation of this
as we had to support JAX-RPC as well as JAX-WS but as this would be JAX-WS only this could
be an option and may help simplify the role configuration I was thinking of adding
(at the CXF level) a utility AuthorizingInInterceptor subclass which would be configured
with the name of the annotation such as @RolesAllowed that target POJO classes may be
annotated with. This interceptor would introspect a given class and return a list of
expected roles for a given method name. Perhaps it might help with addressing this
requirement  

thanks, Sergey

--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/536529#536529]

Start a new discussion in JBoss Web Services Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&...]

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: [jboss-dev-forums] [JBoss Web Services Development] - JBWS-2210 : CXF Username Token JAAS integration