Declarative web-service authorisation & WSDL typing

Question

We currently have a group of web-services exposing interfaces to a variety of different client types and roles.

Background:

• The web-service application code is (and will stay) written in a weakly typed dynamic language.

• Authentication is handled seperately, this post is about Authorisation.

• All operations exposed by the web-services are stateless.

• The web-services talk both SOAP and REST(JSON).

  I'm definitely not interested in starting a discussion about the merits of either approach.

Question:

I'd like to implement a scheme to declaratively define simultaneously

1. complex WSDL typing of inputs & outputs for exposed methods, and
2. required Authorisation TRAITS and/or ROLES to make use of exposed methods.

I'd like to have the declarations either inline with the interface definitions (say as method attributes), or externally defined (say via YAML files), but not managed dynamically in the database.

Does any such implementation already exist for (any) weakly typed dynamic language? Are there wholly external implementations we could build apon?

Answer 1

If you're using Java, then Spring Security (formerly ACEGI) will let you annotate your methods to require whatever user roles you wish as a condition of execution.

Here's an example:

package com.habuma.expectations.springsecurity.intercept;
import org.springframework.security.annotation.Secured;

public class SecuredObject {
   @Secured( {"ROLE_SECRET_AGENT"} )
   public String getSecuredData() {
      return "Top-Secret Data";
   }
}

Requests by users lacking the role will throw an exception. You're free to choose whatever authentication scheme you wish, and it won't matter if you're using SOAP or REST. It doesn't get much more declarative than annotations. I've used this approach successfully in a number of webservices.

Answer 2

Gah, getting nowhere at all on this topic... re-asking with specifics that I can already predict will confuse matters :-(