cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kynan Fraser <>
Subject Re: Security in Jaxws/Jaxrs
Date Thu, 02 Jul 2009 08:44:28 GMT

Hi Sergey,

As a follow up to this, i'm trying to implement a basic http filter using a
request handler. Is there a way to obtain the http auth info? I can't find
it on any of the contexts or message.

Is there an example of a basic auth client and a request handler or custom
invoker handling the authentication?


Sergey Beryozkin wrote:
> Hi Vishal
> I'm very sorry for a late reply - I was planning to reply much earlier but
> then I got swamped with some work and forgot.
> There're a number of options, depending on your preferences
> 1. Do it in the application code, in the resource class. This is may or
> may not the best option. Typically this is something users prefer to do
> outside of the application code. But then you may want to look at the
> resource class which checks the injected SecurityContexts as the facade or
> as an interceptor really which delegates to the actual application class
> which may make this option more viable.
> So in this case you have to have
> @Resource WebServiceContext jaxwsContext;
> @Context SecurityContext jaxrsSecurityContext;
> declared in your code. Next, you need to figure out whether it's a JAXWS
> or JAXRS invocation in progress, so you can do it like this
> // not sure at the moment how exactly to get security context from jaxws
> one
> if (jaxwsContext.getSecurityContext() == null) {
>    checkPrincipal(jaxrsSecurityContext.getPrincipal());
> } else {
>    checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
> }
> 2. Use Spring security - we have some simple tests showing how
> authentication and authorization can be done
> 3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
> simply extends JAXRSInvoker and is registered as an invoker property)
> where you can get all the info you need (method name, Principal, etc)
>    For JAXWS : do a custom CXF in Interceptor which will throw Fault if
> needed.
> Perhaps there're more options... Let me know please if you need more info
> on any of the these options
> Cheers, Sergey   
> Vishal.a wrote:
>> Hello All,
>> I have services written,that have both JaxRs and Jaxws.I have to
>> implement security on the services now.There are 2 things i need to do
>> 1. Authentication - Using Basic Http Authentication
>> 2. Authorization - Secure each and every method.
>> I have seen posts that show me how to do for either JaxRS or Jaxws,can
>> someone tell me what would be the best way to approach it for doing it
>> for both REST and SOAP.
>> Any help is appreciated.
>> Thanks,
>> Vishal

View this message in context:
Sent from the cxf-user mailing list archive at

View raw message