问题
I have the following situation: we have several webapplications, all using Spring Security to do authentication/authorization. We want to create a webservice that will be used by all those webapplications. Communication will hapen over https.
I want the security context of the webapp to propagate to the webservice, so that @Secured annotations on methods in the webservice implementation work correctly. I've looked at spring ws security, and have succesfully implemented authentication using the UsernameTokenProfile. But I can't seem to find a standards-based way to transfer the authorization info (ie the roles of the user).
- is there a way in Spring to do authorization in webservices? (SAML,XACML?)
- does Spring even build a SecurityContext when using authentication in webservices? If I debug my code and ask for SecurityContextHolder.getContext() I get null (I'm assuming my request is handled by 1 thread).
回答1:
As Apache CXF is configured through Spring-based configuration file, I would suggest you take a look at its documentation regarding AUTHORIZATION
I think that might help you
来源:https://stackoverflow.com/questions/10294517/propagate-spring-security-from-webapp-to-soap-webservice