[Acegisecurity-developer] Webservices and acegi
Hi. I'm planning a project where webservices (JAX-WS) will be used. As security mechanismen Basic-Authentication over SSL and WS-Security (WSIT) should be supported. Since I use Spring and used acegi before in a JSF webapp successfully, I would like to go-on using acegi also for this new project. Now my question is, has acegi WS support in any way? I think Basic-Authentication over SSL should be no problem using standard url pattern filtering, but what about WS-Security? Is there something that can take authentication information from the soap requests and put it automatically into the SecurityContext so it is available to the whole application (Thread), not only in the webtier? Would be fine if acegi could be the single-point-of-security in my app. Regards, Veit - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Webservices and acegi
Hi Veit
You can use acegi (Spring Security) with your webservices
infrastructure. As a matter of fact, the WS-Security implementation of
excellent Spring Web Services provides integration with acegi (Spring
Security). This means you can use your existing Acegi configuration for
your SOAP service as well.
There is not a generic implementation of such service available that
"can take authentication information from the soap requests and put it
automatically into the SecurityContext" simply because there isn't a
single way to embedding authentication information in soap requests and
most of the times soap-request is itself embedded in proprietary message
types but nevertheless writing such thing would be as simple as this
String userName = // xpath or other way to get username
String passwd = // xpath or other way to get username
String role = // xpath or other way to get role
GrantedAuthorityImpl ga = new GrantedAuthorityImpl(role);
GrantedAuthority[] roles = new GrantedAuthority[] {ga};
Authentication authentication = new
UsernamePasswordAuthenticationToken(userName, passwd, roles);
SecurityContextHolder.getContext().setAuthentication(authentication);
and then acegi's authentication mechanism can be used for password
authentication.
Also, have a look at reference docs of Spring Web Services for more
information
http://static.springframework.org/spring-ws/site/reference/html/security.html#d0e2678
Regards,
Vishal Puri
Veit Guna wrote:
> Hi.
>
> I'm planning a project where webservices (JAX-WS) will be used. As
> security mechanismen Basic-Authentication over SSL and WS-Security
> (WSIT) should be supported. Since I use Spring and used acegi before in
> a JSF webapp successfully, I would like to go-on using acegi also for
> this new project.
>
> Now my question is, has acegi WS support in any way? I think
> Basic-Authentication over SSL should be no problem using standard url
> pattern filtering, but what about WS-Security? Is there something that
> can take authentication information from the soap requests and put it
> automatically into the SecurityContext so it is available to the whole
> application (Thread), not only in the webtier?
>
> Would be fine if acegi could be the single-point-of-security in my app.
>
> Regards,
> Veit
>
>
> -
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> ___
> Home: http://acegisecurity.org
> Acegisecurity-developer mailing list
> Acegisecurity-developer@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
>
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Webservices and acegi
Hi Vishal.
Thanks for your detailed answer.
I used webservice a while ago when WS-Security was not a topic so correct me if
I'm wrong. Since I will use the JAX-WS Implementation with the WSIT extension
(which includes WS-Security) I can't use the Spring-WS implementation, do I? If
I understand you correctly, I have to implement some kind of filter that will
get the authentication information from the webservice request and put it to
the security context by myself. That's because WS-Security has no standard-way
to put e.g. username/password information to the webservice request? But what's
that all about the specification then? Shouldn't that be handled in a standard
way? Or are you talking about things like encryption of the message content
etc.? For me it would be enough for the first step to do "simple"
authentication/authorization on username/password/group level.
Sorry, If I have understood this completely wrong.
Regards,
Veit
Original-Nachricht
Datum: Fri, 15 Jun 2007 10:16:17 +1000
Von: Vishal Puri <[EMAIL PROTECTED]>
An: acegisecurity-developer@lists.sourceforge.net
Betreff: Re: [Acegisecurity-developer] Webservices and acegi
> Hi Veit
>
> You can use acegi (Spring Security) with your webservices
> infrastructure. As a matter of fact, the WS-Security implementation of
> excellent Spring Web Services provides integration with acegi (Spring
> Security). This means you can use your existing Acegi configuration for
> your SOAP service as well.
>
> There is not a generic implementation of such service available that
> "can take authentication information from the soap requests and put it
> automatically into the SecurityContext" simply because there isn't a
> single way to embedding authentication information in soap requests and
> most of the times soap-request is itself embedded in proprietary message
> types but nevertheless writing such thing would be as simple as this
>
> String userName = // xpath or other way to get username
>
> String passwd = // xpath or other way to get username
>
> String role = // xpath or other way to get role
>
> GrantedAuthorityImpl ga = new GrantedAuthorityImpl(role);
>
> GrantedAuthority[] roles = new GrantedAuthority[] {ga};
>
> Authentication authentication = new
> UsernamePasswordAuthenticationToken(userName, passwd, roles);
>
>
> SecurityContextHolder.getContext().setAuthentication(authentication);
>
> and then acegi's authentication mechanism can be used for password
> authentication.
>
> Also, have a look at reference docs of Spring Web Services for more
> information
> http://static.springframework.org/spring-ws/site/reference/html/security.html#d0e2678
>
> Regards,
> Vishal Puri
>
> Veit Guna wrote:
> > Hi.
> >
> > I'm planning a project where webservices (JAX-WS) will be used. As
> > security mechanismen Basic-Authentication over SSL and WS-Security
> > (WSIT) should be supported. Since I use Spring and used acegi before in
> > a JSF webapp successfully, I would like to go-on using acegi also for
> > this new project.
> >
> > Now my question is, has acegi WS support in any way? I think
> > Basic-Authentication over SSL should be no problem using standard url
> > pattern filtering, but what about WS-Security? Is there something that
> > can take authentication information from the soap requests and put it
> > automatically into the SecurityContext so it is available to the whole
> > application (Thread), not only in the webtier?
> >
> > Would be fine if acegi could be the single-point-of-security in my app.
> >
> > Regards,
> > Veit
> >
> >
> >
> -
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > ___
> > Home: http://acegisecurity.org
> > Acegisecurity-developer mailing list
> > Acegisecurity-developer@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
> >
>
>
> -
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http:/
