Re: [Acegisecurity-developer] Webservices and acegi

2007-06-15 Thread Veit Guna 
Hi Vishal.

Thanks for your detailed answer.

I used webservice a while ago when WS-Security was not a topic so correct me if 
I'm wrong. Since I will use the JAX-WS Implementation with the WSIT extension 
(which includes WS-Security) I can't use the Spring-WS implementation, do I? If 
I understand you correctly, I have to implement some kind of filter that will 
get the authentication information from the webservice request and put it to 
the security context by myself. That's because WS-Security has no standard-way 
to put e.g. username/password information to the webservice request? But what's 
that all about the specification then? Shouldn't that be handled in a standard 
way? Or are you talking about things like encryption of the message content 
etc.? For me it would be enough for the first step to do simple 
authentication/authorization on username/password/group level.

Sorry, If I have understood this completely wrong.

Regards,
Veit


 Original-Nachricht 
Datum: Fri, 15 Jun 2007 10:16:17 +1000
Von: Vishal Puri [EMAIL PROTECTED]
An: acegisecurity-developer@lists.sourceforge.net
Betreff: Re: [Acegisecurity-developer] Webservices and acegi

 Hi Veit
 
 You can use acegi (Spring Security) with your webservices 
 infrastructure. As a matter of fact, the  WS-Security implementation of 
 excellent Spring Web Services provides integration with acegi (Spring 
 Security). This means you can use your existing Acegi configuration for 
 your SOAP service as well.
 
 There is not a generic implementation of such service available that 
 can take authentication information from the soap requests and put it 
 automatically into the SecurityContext simply because there isn't a 
 single way to embedding authentication information in soap requests and 
 most of the times soap-request is itself embedded in proprietary message 
 types but nevertheless writing such thing would be as simple as this
 
 String  userName = // xpath or other way to get username  
 
 String passwd = // xpath or other way to get username  
 
 String role = // xpath or other way to get role  
 
 GrantedAuthorityImpl ga = new GrantedAuthorityImpl(role);
 
 GrantedAuthority[] roles = new GrantedAuthority[] {ga};
 
 Authentication authentication = new 
 UsernamePasswordAuthenticationToken(userName, passwd, roles);
 
 
 SecurityContextHolder.getContext().setAuthentication(authentication);
 
 and then acegi's authentication mechanism can be used for password 
 authentication.
 
 Also, have a look at reference docs of Spring Web Services for more 
 information 
 http://static.springframework.org/spring-ws/site/reference/html/security.html#d0e2678
 
 Regards,
 Vishal Puri
 
 Veit Guna wrote:
  Hi.
 
  I'm planning a project where webservices (JAX-WS) will be used. As
  security mechanismen Basic-Authentication over SSL and WS-Security
  (WSIT) should be supported. Since I use Spring and used acegi before in
  a JSF webapp successfully, I would like to go-on using acegi also for
  this new project.
 
  Now my question is, has acegi WS support in any way? I think
  Basic-Authentication over SSL should be no problem using standard url
  pattern filtering, but what about WS-Security? Is there something that
  can take authentication information from the soap requests and put it
  automatically into the SecurityContext so it is available to the whole
  application (Thread), not only in the webtier?
 
  Would be fine if acegi could be the single-point-of-security in my app.
 
  Regards,
  Veit
 
 
 
 -
  This SF.net email is sponsored by DB2 Express
  Download DB2 Express C - the FREE version of DB2 express and take
  control of your XML. No limits. Just data. Click to get it now.
  http://sourceforge.net/powerbar/db2/
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

 
 
 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail

-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control

Re: [Acegisecurity-developer] Webservices and acegi

2007-06-14 Thread Vishal Puri 
Hi Veit

You can use acegi (Spring Security) with your webservices 
infrastructure. As a matter of fact, the  WS-Security implementation of 
excellent Spring Web Services provides integration with acegi (Spring 
Security). This means you can use your existing Acegi configuration for 
your SOAP service as well.

There is not a generic implementation of such service available that 
can take authentication information from the soap requests and put it 
automatically into the SecurityContext simply because there isn't a 
single way to embedding authentication information in soap requests and 
most of the times soap-request is itself embedded in proprietary message 
types but nevertheless writing such thing would be as simple as this

String  userName = // xpath or other way to get username  

String passwd = // xpath or other way to get username  

String role = // xpath or other way to get role  

GrantedAuthorityImpl ga = new GrantedAuthorityImpl(role);

GrantedAuthority[] roles = new GrantedAuthority[] {ga};

Authentication authentication = new 
UsernamePasswordAuthenticationToken(userName, passwd, roles);


SecurityContextHolder.getContext().setAuthentication(authentication);

and then acegi's authentication mechanism can be used for password 
authentication.

Also, have a look at reference docs of Spring Web Services for more 
information 
http://static.springframework.org/spring-ws/site/reference/html/security.html#d0e2678

Regards,
Vishal Puri

Veit Guna wrote:
 Hi.

 I'm planning a project where webservices (JAX-WS) will be used. As
 security mechanismen Basic-Authentication over SSL and WS-Security
 (WSIT) should be supported. Since I use Spring and used acegi before in
 a JSF webapp successfully, I would like to go-on using acegi also for
 this new project.

 Now my question is, has acegi WS support in any way? I think
 Basic-Authentication over SSL should be no problem using standard url
 pattern filtering, but what about WS-Security? Is there something that
 can take authentication information from the soap requests and put it
 automatically into the SecurityContext so it is available to the whole
 application (Thread), not only in the webtier?

 Would be fine if acegi could be the single-point-of-security in my app.

 Regards,
 Veit


 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
   


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer