Announcement Announcement Module
Collapse
No announcement yet.
spring-ws and acegisecurity authorization Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • spring-ws and acegisecurity authorization

    Hello,
    I'm working with spring/acegisecurity, and have a prototype app that uses filters to protect certain jsp pages with certain roles. I use jdbc for the authentication/authorities.

    I'm trying to understand how this concept carries over to the web services. I can see in the airline example for the frequent flyer I can get the security context of the logged in user. Does an authenticationprocessingfilter kick in here? Would I have to look at the roles a logged in user has and act on them programatically, or is there a way to employ the xml files to that as there is in acegisecurity for http?

    Thanks for any help here.
    ... Rich

  • #2
    Originally posted by farrellr
    Hello,
    I'm working with spring/acegisecurity, and have a prototype app that uses filters to protect certain jsp pages with certain roles. I use jdbc for the authentication/authorities.

    I'm trying to understand how this concept carries over to the web services. I can see in the airline example for the frequent flyer I can get the security context of the logged in user. Does an authenticationprocessingfilter kick in here? Would I have to look at the roles a logged in user has and act on them programatically, or is there a way to employ the xml files to that as there is in acegisecurity for http?
    The Acegi integration is not based on HTTP. Instead, it is using various elements provided in the message, i.e. it is based on WS-Security. It uses the XwsSecurityInterceptor for that. The reference documentation should provide you with a some background on both WS-Security and the various parts of it.

    Cheers,

    Comment


    • #3
      Example

      Does anyone have a step by step example of how to use acegi to secure web services?

      Comment


      • #4
        No, i know none. It's not that easy that i could explain it in a few sentences.

        But it helps much if you first read the ACEGI documentation. After that you should know how ACEGI works.

        You should also know how spring works in general, because you need proxy beans to protected your service.

        After that, the sample provided by Arjen (airline) will show you how to code and configurate the glue between all components.

        Cheers,

        Ingo

        Comment


        • #5
          In addition to the links Ingo provided, there is a chapter on the security stuff in the Reference documentation.

          Comment


          • #6
            Continuing with security

            Thanks for the helpful follow up messages. I continue to work with spring-ws and acegisecurity, and I am making progress. I have been able to inject a security service into my app service, so I can call methods in it to do things like as seen in the airline sample:
            SecurityContext context = SecurityContextHolder.getContext();
            Authentication authentication = context.getAuthentication();

            What isn't clear to me is what the client needs to do to authenticate however. In the spring-mvc world I would send the user to a login page to accomplish this, but my app is just the web service, I'm not writing the clients that will use it (although I do want them to authenticate somehow).

            Can you point me to something to clarify the login process when the implementation of the business logic is purely a webservice which will require a user already authenticated?
            Many thanks.

            Comment


            • #7
              Originally posted by farrellr
              What isn't clear to me is what the client needs to do to authenticate however. In the spring-mvc world I would send the user to a login page to accomplish this, but my app is just the web service, I'm not writing the clients that will use it (although I do want them to authenticate somehow).
              Basically, the client authenticates by putting an authentication token in the SOAP header. This can be either a username and password (digest), or a certificate.

              Originally posted by farrellr
              Can you point me to something to clarify the login process when the implementation of the business logic is purely a webservice which will require a user already authenticated?
              I've found a good tutorial on WS-Security here.

              Comment


              • #8
                thanks again

                Thanks for the help.
                ... Rich

                Comment


                • #9
                  continuing with security

                  I have read what I can on WS-Security, spring WS and microsoft WSE 3, thanks for pointing me in the right direction.

                  What I now need to do is have a C# client call a spring web service over https to create a security token and for the java web s3ervice to return the token to .NET, rather than the client creating the token. The client then could use that token in other calls to java web services for security.

                  I believe I would have to extend the WSE 3 security framework on the client side for this to work since .NET would not be creating the security token directly, but still would want to embed it in the soap security envelope.

                  If I can do this, then I assume that Spring-WS security could operate with security being implied through the xml configuration files rather than programatically (since it seems that interoperability is possible from MS to Java using WS-Security).

                  Has anyone else gone down this road? Can anyone tell me if the approach I am looking at is fundamentally sound, or if it is flawed?

                  Thanks Again.
                  ... Rich

                  Comment

                  Working...
                  X