Hi Veit
You can use acegi (Spring Security) with your webservices
infrastructure. As a matter of fact, the WS-Security implementation of
excellent Spring Web Services provides integration with acegi (Spring
Security). This means you can use your existing Acegi configuration for
your SOAP service as well.
There is not a generic implementation of such service available that
"can take authentication information from the soap requests and put it
automatically into the SecurityContext" simply because there isn't a
single way to embedding authentication information in soap requests and
most of the times soap-request is itself embedded in proprietary message
types but nevertheless writing such thing would be as simple as this
String userName = // xpath or other way to get username
String passwd = // xpath or other way to get username
String role = // xpath or other way to get role
GrantedAuthorityImpl ga = new GrantedAuthorityImpl(role);
GrantedAuthority[] roles = new GrantedAuthority[] {ga};
Authentication authentication = new
UsernamePasswordAuthenticationToken(userName, passwd, roles);
SecurityContextHolder.getContext().setAuthentication(authentication);
and then acegi's authentication mechanism can be used for password
authentication.
Also, have a look at reference docs of Spring Web Services for more
information
http://static.springframework.org/spring-ws/site/reference/html/security.html#d0e2678
Regards,
Vishal Puri
Veit Guna wrote:
> Hi.
>
> I'm planning a project where webservices (JAX-WS) will be used. As
> security mechanismen Basic-Authentication over SSL and WS-Security
> (WSIT) should be supported. Since I use Spring and used acegi before in
> a JSF webapp successfully, I would like to go-on using acegi also for
> this new project.
>
> Now my question is, has acegi WS support in any way? I think
> Basic-Authentication over SSL should be no problem using standard url
> pattern filtering, but what about WS-Security? Is there something that
> can take authentication information from the soap requests and put it
> automatically into the SecurityContext so it is available to the whole
> application (Thread), not only in the webtier?
>
> Would be fine if acegi could be the single-point-of-security in my app.
>
> Regards,
> Veit
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Home: http://acegisecurity.org
> Acegisecurity-developer mailing list
> Acegisecurity-developer@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
>
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
