How to secure a Web Service with ACEGI

[schrepfler]

Our project is not to the point where we have to implement a Web Service but I think it's good time to start asking questions. Does acegi offer something to secure WS'es or is one forced to use the industry standars (does that mean CAS only?). Any real world examples or links would be really usefull. Thanks

[Ben Alex]

Most people secure web services in two ways with Acegi Security:

1. Protecting the web services endpoint URLs, such as /ws/** with a ROLE_WEB_SERVICE or similar. This ensures that only authorized principals can invoke the web service. Generally BASIC authentication is used with the web service (as nearly all web services support BASIC authentication out-of-the-box, and indeed implementing it a BASIC authentication client from scratch is a very simple exercise).

2. Protecting individual methods on the service layer that the web services act as a facade to. So, your FooManager.create() method is accessible by the FooManagerHttpInvoker web service. You can elect to have very little security at the web request level (ie protecting /ws/FooManagerHttpInvoker**), and instead rely on MethodSecurityInterceptor to protect FooManager.create=ROLE_FOO_CREATION. Any AuthorizationExceptions are therefore transported back to the client, which is more informative than a 403 error (SC_FORBIDDEN).