cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Freeman Fang <>
Subject Re: Security for WS & REST clients
Date Mon, 25 Feb 2013 09:54:30 GMT

My comment inline
Freeman(Yue) Fang

Red Hat, Inc. 
FuseSource is now part of Red Hat
Web: |
Twitter: freemanfang
weibo: @Freeman小屋

On 2013-2-25, at 下午5:01, Jose María Zaragoza wrote:

> Hi:
> I'm newbie by using CXF framework and I'd like to take the best choice
> about security matters ( authorization/authentication )
> Maybe more expert users can help me.
> I need to develop JAX-WS (SOAP/HTTP) and JAX-RS (XML/JSON/HTTP)
> services and I need to get the client ID who is calling that web
> service for loading custom config files by client profile/role .
> Sometimes, it will be the same implementation but different prococol
> binding ( I think CXF framework allows this feature )
> 1)
> I would like to use a standard authetication/authorization model.
> I've seen WS-Security but I think that it only works with SOAP
> messages, am I wrong ? could it be used with REST client/services?
Yes, the UsernameToken ws-security stuff is based on SOAP message so it won't work with REST
> 2)
> Other choice is use HTTP Authentication , For example, I could use
> Realm mechanism implemented by Tomcat to authenticate users
> That is supported by SOAP/HTTP and REST/JSON//HTTP clients
> Could I retrieve client ID ( Principal ) from WebserviceContext with
> HTTP Authentication ?
> Do i need to get HTTPRequest to get client ID ?
Yeah,  you can use HTTP basic auth both for SOAP and REST service
You can simply use, which can retrieve
username/password from Http Basic auth and create SecurityContext accordingly and delegate
to your container jaas(tomcat, karaf, etc)
> 3)
> As I told you, I want to load custom config files by client
> profile/role calling a service
> Could I to implement this by a interceptor and this interceptor
> updates 'service call' with custom values ?
> What is the best way to face this issue ?
yeah, an interceptor usually is the way to go
> I want to perform something like Filters (Servlet) and update requests
> context with custom info by client/user/role
> Thanks
> Best regards

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message