...

If you use HTTP Authorization header or WS-Security Binary token to pass OAuth2 tokens to SOAP endpoints then OAuthRequestInterceptor can be used to validate such tokens. It is OAuthRequestFilter running as CXF interceptor which will work OOB for tokens passed with Authorization header and it can be easily extended to support WS-Security binary tokens

Scope-based access control

OAuthRequestFilter can be configured to do a lot of security checks as described above. 

Additionally, starting from CXF 3.1.5 it is also possible to control which service methods can be invoked

with a new Scopes annotation and OAuthScopesFilter (it needs to be registered alongside OAuthRequestFilter).

For example:

@Path("calendar")
public class CalendarResource {

   
   @PUT
   @Path("{id}")
   @Scopes("update-calendar")
   @ConfidentialClient
   public void updateCalendar(@PathParam("id") long id, Calendar c) {
       // update the calendar for a user identified by 'id'
   }
}
 

In this example a client will only be able to invoke the updateCalendar method if its access token contains an "update-calendar" scope and

it is a ConfidentialClient. As mentioned earlier, OAuthRequestFilter may be configured with the 'requestScopes' property but using the Scopes annotation can offer a more typed and fine-grained

access control.

How to get the user login name

...