I don't think this will work. You will always have to build an Authentication object because the entire Spring Security framework is based on this. It is also required to have an AuthenticationProvider (that is why Spring complains about the missing _authenticationManager bean). However, this does not mean that the AuthenticationProvider really needs to do authentication. Actually, AuthenticationProvider has two responsibilities: - Authenticate the user (i.e. validate the credentials). - Determine the authorities (roles) the user has. If both aspects are handled elsewhere (by WSS4J), then the AuthenticationProvider only needs to validate that the authentication token is of the right type. Actually, how are you planning to determine the authorities?
Andreas On Wed, Sep 16, 2009 at 00:03, HamletDRC <[email protected]> wrote: > > I had planned on providing a custom AccessDecisionManager that made the > decision off of something in the MessageContext rather than the > authenticated principle. > > > > Christian Schneider wrote: >> >> I guess you will need some kind of spring security authentication. At >> least so far that spring security knows the authenticated principal. How >> else should it do the authorisation. >> >> Greetings >> >> Christian >> >> >> HamletDRC schrieb: >>> I have a set of CXF services I want to have authorization provided on >>> based >>> on Spring Security and the JSR-250 annotations. I do _not_ want to use >>> the >>> Spring Authentication mechanisms... for authentication I have the >>> WSS4JInInterceptor and am quite happy with it. >>> >>> Does anyone know how to use just the Spring authorization in CXF? >>> >>> It should be as easy as adding this line of XML config to cxf.xml: >>> >>> <security:global-method-security jsr250-annotations="enabled"/> >>> >>> But when I do that I get bean not found errors for the >>> "_authenticationManager" bean. I don't want to specify an authentication >>> manager, I just want to specify an AccessDecisionManager. >>> >>> Any ideas on reference material? I read the Spring Security user guide >>> but >>> didn't feel like I knew what to do. >>> Thanks, >>> Hamlet D'Arcy >>> [email protected] >>> >>> ----- >>> -- >>> Hamlet D'Arcy >>> >>> >> >> >> > > > ----- > -- > Hamlet D'Arcy > > -- > View this message in context: > http://www.nabble.com/Using-Spring-JSR-250-based-Authorization-but-not-Authentication-tp25461114p25462666.html > Sent from the cxf-user mailing list archive at Nabble.com. > >
