Hi I'd like to add that there's also another option which can work if the SecurityContext has already been initialized, specifically, CXF now ships anorg.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor which can be initialized with a Map of method names to allowed roles pairs, ex
"doIt" : "user admin" "readIt" : "*" where "*" means 'permit all', which is equivalent to omitting a 'readIt' pair. Deny(All) can easily be supported by overriding getDenyRoles(). I was planning to add a SimpleAuthorizingInterceptor subclass which would check the annotations such as @RolesAllowed on specified classes, will try to do it when I get a chance. Just one more option to be aware of cheers, Sergey On Tue, Sep 7, 2010 at 5:37 PM, David Valeri <[email protected]> wrote: > If you are doing JAX-WS annotation [1], JAX-RS annotation [2], or POJO > based > services, it is fairly simple to wrap your implementation bean with Spring > Security's method level security stuff [3]. That will give you operation > level RBAC. You can also do more fine grained RBAC in your business logic > if you need to. > > For SOAP based services, the only gotcha here is that the CXF interceptor > (you will build this) that sets up the Spring Security SecurityContext > needs > to be done after the MAPAggregator and/or OneWayProcessorInterceptor as > these two interceptors can move processing of the request to another thread > which will affect the way Spring Security works [4]. > > I can't vouch for the maturity of [1] or [2], but I have gotten this > approach to work in the past so it is very possible even if it turns out > that there isn't much available in the community. > > [1] http://code.google.com/p/cxf-spring-security/ > [2] > > http://cxf.547215.n5.nabble.com/Spring-Security-annotations-in-CXF-td561615. > html<http://cxf.547215.n5.nabble.com/Spring-Security-annotations-in-CXF-td561615.%0Ahtml> > [3] http://static.springsource.org/spring-security/site/ & > > http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns- > config.html#ns-method-security<http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns-%0Aconfig.html#ns-method-security> > [4] > > http://static.springsource.org/spring-security/site/docs/3.1.x/reference/tec > hnical-overview.html#d0e1605<http://static.springsource.org/spring-security/site/docs/3.1.x/reference/tec%0Ahnical-overview.html#d0e1605> > > > David Valeri > --------------------------- > http://davidvaleri.wordpress.com/ > http://twitter.com/DavidValeri > > > -----Original Message----- > From: devkatiyar [mailto:[email protected]] > Sent: Monday, September 06, 2010 8:33 PM > To: [email protected] > Subject: Role based Access Control (RBAC) for web services > > > Hi , > I have to develop role based access control for the securing my web > services > .. can any one suggest me best framework and some reference so that i can > implement > > > Thanks All. > -- > View this message in context: > > http://cxf.547215.n5.nabble.com/Role-based-Access-Control-RBAC-for-web-servi > ces-tp2805531p2805531.html<http://cxf.547215.n5.nabble.com/Role-based-Access-Control-RBAC-for-web-servi%0Aces-tp2805531p2805531.html> > Sent from the cxf-user mailing list archive at Nabble.com. > >
