Ok - not sure if this is a good practice or not, but I have
re-implemented what I was already using.
<jaxws:properties>
<entry key="ws-security.validate.token" value="false" />
</jaxws:properties>
<jaxws:inInterceptors>
<ref bean="UsernameTokenAuthenticationInterceptor" />
</jaxws:inInterceptors>
I have an interceptor UsernameTokenAuthenticationInterceptor which
extends
com.vedaadvantage.dp3.manager.spring.security.AbstractUsernameTokenInInterceptor
This uses the UsernameToken to authenticate via spring security
authentication manager and create a new spring security context.
Seems to work, but I guess once I look at Saml / STS, my approach will
no longer work...
On Tue, Feb 14, 2012 at 3:54 PM, Jason Pell <[email protected]> wrote:
> Hi,
>
> When I was using interceptors I utilised the
> ws-security.validate.token to disable validation of the username /
> password. Instead I added a UsernamePasswordAuthentication (extends
> AbstractUsernameTokenInInterceptor) interceptor which utilised a
> spring AuthenticationManager to authenticate the user and create a
> spring SecurityContext.
>
> What is the recommended approach for ws policy? Is the
> CallbackHandler the way to do it, or should I be using a custom UT
> validator?
>
> I have been looking for best practice in this area but have not found
> anything.
>
> I have all my ldap configuration setup in spring and all my web
> services are using spring @PreAuthorise, so I want to continue to have
> this functionality.
>
> I am assuming I probably need to use the callback handler, but wanted
> to make sure I was not missing anything.
