spring-ws and acegisecurity authorization

**farrellr** · Jun 26th, 2006, 11:07 AM

Hello,
I'm working with spring/acegisecurity, and have a prototype app that uses filters to protect certain jsp pages with certain roles. I use jdbc for the authentication/authorities.

I'm trying to understand how this concept carries over to the web services. I can see in the airline example for the frequent flyer I can get the security context of the logged in user. Does an authenticationprocessingfilter kick in here? Would I have to look at the roles a logged in user has and act on them programatically, or is there a way to employ the xml files to that as there is in acegisecurity for http?

Thanks for any help here.
... Rich

**Arjen Poutsma** · Jun 27th, 2006, 05:59 AM

Originally Posted by farrellr

Hello,
I'm working with spring/acegisecurity, and have a prototype app that uses filters to protect certain jsp pages with certain roles. I use jdbc for the authentication/authorities.

I'm trying to understand how this concept carries over to the web services. I can see in the airline example for the frequent flyer I can get the security context of the logged in user. Does an authenticationprocessingfilter kick in here? Would I have to look at the roles a logged in user has and act on them programatically, or is there a way to employ the xml files to that as there is in acegisecurity for http?

The Acegi integration is not based on HTTP. Instead, it is using various elements provided in the message, i.e. it is based on WS-Security. It uses the XwsSecurityInterceptor for that. The reference documentation should provide you with a some background on both WS-Security and the various parts of it.

Cheers,

**mantis** · Jun 30th, 2006, 02:01 PM

Does anyone have a step by step example of how to use acegi to secure web services?

**res1st** · Jul 3rd, 2006, 02:43 AM

No, i know none. It's not that easy that i could explain it in a few sentences.

But it helps much if you first read the ACEGI documentation. After that you should know how ACEGI works.

You should also know how spring works in general, because you need proxy beans to protected your service.

After that, the sample provided by Arjen (airline) will show you how to code and configurate the glue between all components.

Cheers,

Ingo

**Arjen Poutsma** · Jul 6th, 2006, 05:23 AM

In addition to the links Ingo provided, there is a chapter on the security stuff in the Reference documentation.

**farrellr** · Jul 7th, 2006, 03:33 PM

Thanks for the helpful follow up messages. I continue to work with spring-ws and acegisecurity, and I am making progress. I have been able to inject a security service into my app service, so I can call methods in it to do things like as seen in the airline sample:
SecurityContext context = SecurityContextHolder.getContext();
Authentication authentication = context.getAuthentication();

What isn't clear to me is what the client needs to do to authenticate however. In the spring-mvc world I would send the user to a login page to accomplish this, but my app is just the web service, I'm not writing the clients that will use it (although I do want them to authenticate somehow).

Can you point me to something to clarify the login process when the implementation of the business logic is purely a webservice which will require a user already authenticated?
Many thanks.

**Arjen Poutsma** · Jul 8th, 2006, 04:29 AM

Originally Posted by farrellr

What isn't clear to me is what the client needs to do to authenticate however. In the spring-mvc world I would send the user to a login page to accomplish this, but my app is just the web service, I'm not writing the clients that will use it (although I do want them to authenticate somehow).

Basically, the client authenticates by putting an authentication token in the SOAP header. This can be either a username and password (digest), or a certificate.

Originally Posted by farrellr

Can you point me to something to clarify the login process when the implementation of the business logic is purely a webservice which will require a user already authenticated?

I've found a good tutorial on WS-Security here.

**farrellr** · Jul 10th, 2006, 10:47 AM

Thanks for the help.
... Rich

**farrellr** · Jul 12th, 2006, 10:56 AM

I have read what I can on WS-Security, spring WS and microsoft WSE 3, thanks for pointing me in the right direction.

What I now need to do is have a C# client call a spring web service over https to create a security token and for the java web s3ervice to return the token to .NET, rather than the client creating the token. The client then could use that token in other calls to java web services for security.

I believe I would have to extend the WSE 3 security framework on the client side for this to work since .NET would not be creating the security token directly, but still would want to embed it in the soap security envelope.

If I can do this, then I assume that Spring-WS security could operate with security being implied through the xml configuration files rather than programatically (since it seems that interoperability is possible from MS to Java using WS-Security).

Has anyone else gone down this road? Can anyone tell me if the approach I am looking at is fundamentally sound, or if it is flawed?

Thanks Again.
... Rich

Thread: spring-ws and acegisecurity authorization

Thread Tools

Display

spring-ws and acegisecurity authorization

Example

Continuing with security

thanks again

continuing with security

Posting Permissions