Hi Vishal. Thanks for your detailed answer.
I used webservice a while ago when WS-Security was not a topic so correct me if I'm wrong. Since I will use the JAX-WS Implementation with the WSIT extension (which includes WS-Security) I can't use the Spring-WS implementation, do I? If I understand you correctly, I have to implement some kind of filter that will get the authentication information from the webservice request and put it to the security context by myself. That's because WS-Security has no standard-way to put e.g. username/password information to the webservice request? But what's that all about the specification then? Shouldn't that be handled in a standard way? Or are you talking about things like encryption of the message content etc.? For me it would be enough for the first step to do "simple" authentication/authorization on username/password/group level. Sorry, If I have understood this completely wrong. Regards, Veit -------- Original-Nachricht -------- Datum: Fri, 15 Jun 2007 10:16:17 +1000 Von: Vishal Puri <[EMAIL PROTECTED]> An: acegisecurity-developer@lists.sourceforge.net Betreff: Re: [Acegisecurity-developer] Webservices and acegi > Hi Veit > > You can use acegi (Spring Security) with your webservices > infrastructure. As a matter of fact, the WS-Security implementation of > excellent Spring Web Services provides integration with acegi (Spring > Security). This means you can use your existing Acegi configuration for > your SOAP service as well. > > There is not a generic implementation of such service available that > "can take authentication information from the soap requests and put it > automatically into the SecurityContext" simply because there isn't a > single way to embedding authentication information in soap requests and > most of the times soap-request is itself embedded in proprietary message > types but nevertheless writing such thing would be as simple as this > > String userName = // xpath or other way to get username > > String passwd = // xpath or other way to get username > > String role = // xpath or other way to get role > > GrantedAuthorityImpl ga = new GrantedAuthorityImpl(role); > > GrantedAuthority[] roles = new GrantedAuthority[] {ga}; > > Authentication authentication = new > UsernamePasswordAuthenticationToken(userName, passwd, roles); > > > SecurityContextHolder.getContext().setAuthentication(authentication); > > and then acegi's authentication mechanism can be used for password > authentication. > > Also, have a look at reference docs of Spring Web Services for more > information > http://static.springframework.org/spring-ws/site/reference/html/security.html#d0e2678 > > Regards, > Vishal Puri > > Veit Guna wrote: > > Hi. > > > > I'm planning a project where webservices (JAX-WS) will be used. As > > security mechanismen Basic-Authentication over SSL and WS-Security > > (WSIT) should be supported. Since I use Spring and used acegi before in > > a JSF webapp successfully, I would like to go-on using acegi also for > > this new project. > > > > Now my question is, has acegi WS support in any way? I think > > Basic-Authentication over SSL should be no problem using standard url > > pattern filtering, but what about WS-Security? Is there something that > > can take authentication information from the soap requests and put it > > automatically into the SecurityContext so it is available to the whole > > application (Thread), not only in the webtier? > > > > Would be fine if acegi could be the single-point-of-security in my app. > > > > Regards, > > Veit > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Home: http://acegisecurity.org > > Acegisecurity-developer mailing list > > Acegisecurity-developer@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer