Hi Veit You can use acegi (Spring Security) with your webservices infrastructure. As a matter of fact, the WS-Security implementation of excellent Spring Web Services provides integration with acegi (Spring Security). This means you can use your existing Acegi configuration for your SOAP service as well.
There is not a generic implementation of such service available that "can take authentication information from the soap requests and put it automatically into the SecurityContext" simply because there isn't a single way to embedding authentication information in soap requests and most of the times soap-request is itself embedded in proprietary message types but nevertheless writing such thing would be as simple as this String userName = // xpath or other way to get username String passwd = // xpath or other way to get username String role = // xpath or other way to get role GrantedAuthorityImpl ga = new GrantedAuthorityImpl(role); GrantedAuthority[] roles = new GrantedAuthority[] {ga}; Authentication authentication = new UsernamePasswordAuthenticationToken(userName, passwd, roles); SecurityContextHolder.getContext().setAuthentication(authentication); and then acegi's authentication mechanism can be used for password authentication. Also, have a look at reference docs of Spring Web Services for more information http://static.springframework.org/spring-ws/site/reference/html/security.html#d0e2678 Regards, Vishal Puri Veit Guna wrote: > Hi. > > I'm planning a project where webservices (JAX-WS) will be used. As > security mechanismen Basic-Authentication over SSL and WS-Security > (WSIT) should be supported. Since I use Spring and used acegi before in > a JSF webapp successfully, I would like to go-on using acegi also for > this new project. > > Now my question is, has acegi WS support in any way? I think > Basic-Authentication over SSL should be no problem using standard url > pattern filtering, but what about WS-Security? Is there something that > can take authentication information from the soap requests and put it > automatically into the SecurityContext so it is available to the whole > application (Thread), not only in the webtier? > > Would be fine if acegi could be the single-point-of-security in my app. > > Regards, > Veit > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer