cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Veithen <>
Subject Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5 ?
Date Wed, 17 Feb 2010 19:45:41 GMT
On Wed, Feb 17, 2010 at 14:46, johnrock <> wrote:
> Thank you for the link to that wiki. Very helpful. To quote from there:
> "If Spring Security is used for authentication, then CXF's SecurityContext
> is not initialized automatically. cxf-spring-security provides an
> interceptor that can be used if this is required. This interceptor adapts an
> authenticated Authentication object found in the current Exchange to the
> interface and adds it to the current
> message. Authorities in the Authentication object are mapped one-to-one to
> roles in the SecurityContext.
> ...
> Setting up Spring's security context: <ssec:spring-security-context-feature>
> ...
> This makes it clear that an interceptor would not be the right place to
> manage Spring's security context. cxf-spring-security solves this issue with
> the help of a org.apache.cxf.service.invoker.Invoker proxy that will be
> installed in front of the real invoker (whose responsibility is to dispatch
> to the right method of the service implementation). This proxy sets up the
> security context before delegating to the real invoker and removes it after
> completion. "
> Doesn't this imply that either an Interceptor or custom invoker is required
> ? My example is not currently using either approach. Is there an example
> that uses an Interceptor or Invoker to set up the Security Context?

The document (and the components it describes) actually focuses on
those scenarios where CXF drives the overall process and where
authentication and authorization needs to be delegated properly to
Spring Security. This is the case for scenarios that use WS-Security,
protocols other than HTTP or where for some reason one doesn't want to
use the Spring Security servlet filters. In your scenario, Spring
Security is in control from the very beginning of request processing.

I think that Sergey is correct when he says that CXF actually builds
the (and thus the, so that your scenario should
actually work out of the box. More on this later.

> --
> View this message in context:
> Sent from the cxf-user mailing list archive at

View raw message