[jboss-user] [JBoss Web Services Development] - JBWS-2210 : CXF Username Token JAAS integration

[Sergey Beryozkin]

Sergey Beryozkin [http://community.jboss.org/people/sergeyb] replied to the discussion

"JBWS-2210 : CXF Username Token JAAS integration"

To view the discussion, visit: http://community.jboss.org/message/536529#536529

--------------------------------------------------------------
Hi Darran

Thanks for the comments.

> The approach of having two interceptors (one for authentication and one for authorization) is probably the biggest part of this problem already solved.
> 
> Where this becomes really apparent is where endpoints are deployed as EJB3 session beans, in this case the container can already be configured to perform authentication and authorization - as a deployed session bean can potentially be called from multiple different clients it makes sense for the authorization checks to remain with the bean.

I see. Perhaps in some cases no authorization will be required, so just dropping an authorization interceptor will satisfy such requirements.

> The point of these two comments really is to highlight that this is not just a case of obtaining a Subject from whatever app server you are running in but actually associating the users identity with the request so that is propagates for further calls within the application server.  Using the APIs suggested from Anil should help with this so this is just something to keep in mind.

Sure. I saw the following code line in the JBoss Native :

> securityAdaptor.pushSubjectContext(subject, principal, credential);

this is probably to do with what you explained above.

> A final feature related to this that I know there is user demand for would be the ability to annotate the POJO endpoints with the same role annotations as used on EJB3 sesstion beans - we were unable to do this for our Native implementation of this as we had to support JAX-RPC as well as JAX-WS but as this would be JAX-WS only this could be an option and may help simplify the role configuration
I was thinking of adding (at the CXF level) a utility AuthorizingInInterceptor subclass which would be configured with the name of the annotation such as @RolesAllowed that target POJO classes may be annotated with. This interceptor would introspect a given class and return a list of expected roles for a given method name. Perhaps it might help with addressing this requirement  

thanks, Sergey

--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/536529#536529]

Start a new discussion in JBoss Web Services Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2047]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100409/f332012e/attachment.html