I am implementing WS-Security using WSS4J and I'm trying to incorporate some support form of authorization.
I have a global handler, defined in the <requestFlow>, which executes before every service. I need to determine, through the Axis MessageContext or otherwise, what class is mapped to the requested service. I want to delegate to the actual service classes to determine whether the given username (from the WSS handler) is authorized to execute a specific web service method.
The individual service classes will eventually negotiate authorization with an authorization service. With that, it is possible to pass the requisite data to the authorization service directly without delegating to the web service classes, but I still need the fully-qualified class name for the service.
It seems, however, that the wss4j handler is executed too early in the lifecycle to have the required information registered in the MessageContext or perhaps I'm just looking in the wrong place.
Or, perhaps there a better way all together?