cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Schneider <>
Subject Re: Ideas for standardizing CXF authentication and authorization
Date Thu, 10 Jul 2014 12:06:16 GMT
Spring security integration would be an interesting case that I hope can 
be covered with my approach.

We could do the JAAS aauthentication with CXF without Spring Security 
and then use Spring security just for Authorization.
The only thing we would need to do is provide a small module for Spring 
Security that retrieves the JAAS Login Context and creates a Spring 
Security context from it. Perhaps
this is even present somewhere in spring security as this case should 
not be that uncommon. After that step Spring security would fully work.

This of course only can work if the Authentication phase can be covered 
by JAAS. Which kind of authentication do you have in mind?


On 10.07.2014 13:38, Łukasz Dywicki wrote:
> Hey Christian,
> Great you brought this discussion. I already started working on
> integration between spring security (SS) and cxf, mainly because JAAS
> was not sufficient in all our cases and SS provides nice cover to it
> such AccessDecisionManager session controlling and so on. As Oliver
> pointed out - currently CXF is bound to HTTP headers or WSS4J
> callbacks requiring re-sending credentials for each invocation which
> really limit users while working on more advanced APIs. I would love
> to see support for login/logout operations and session handling within
> CXF.
> There are couple issues which can not be solved with current CXF code
> - for example AbstractAuthorizingInInterceptor forces presence of
> security context even if subject is not necessary and method is not
> annotated with any secure annotation or is annotated with @PermitAll.
> Best regards,
> Łukasz
> --
> Twitter: ldywicki
> Blog:
> Code-House -

Christian Schneider

Open Source Architect

View raw message