Return-Path: 
 <issues-return-24965-apmail-cxf-issues-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-issues-archive@www.apache.org
Delivered-To: apmail-cxf-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 8C110FB9F
	for <apmail-cxf-issues-archive@www.apache.org>;
 Tue,  2 Apr 2013 07:27:19 +0000 (UTC)
Received: (qmail 49214 invoked by uid 500); 2 Apr 2013 07:27:18 -0000
Delivered-To: apmail-cxf-issues-archive@cxf.apache.org
Received: (qmail 48743 invoked by uid 500); 2 Apr 2013 07:27:18 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 48075 invoked by uid 99); 2 Apr 2013 07:27:16 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Apr 2013 07:27:16 +0000
Date: Tue, 2 Apr 2013 07:27:16 +0000 (UTC)
From: "Sergey Beryozkin (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: <JIRA.12639779.1364550500963.90488.1364887636750@arcas>
In-Reply-To: <JIRA.12639779.1364550500963@arcas>
References: <JIRA.12639779.1364550500963@arcas>
Subject: [jira] [Commented] (CXF-4934) JAXRSInvoker and Proxy classes
 (Spring Security)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/CXF-4934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13619588#comment-13619588 ] 

Sergey Beryozkin commented on CXF-4934:
---------------------------------------

Hi - I'm actually not sure the invocation handler invokes the right method either. CXF does "method.invoke(object)" and in this case it does not work because the method belongs to the service bean class, not to its proxy. I suspect the handler works because it is smart enough to invoke directly on the service bean - bypassing the AOP layer supporting @Secured - I was not able to confirm because even with "rod:koala" I was getting 403 :-) 
                
> JAXRSInvoker and Proxy classes (Spring Security)
> ------------------------------------------------
>
>                 Key: CXF-4934
>                 URL: https://issues.apache.org/jira/browse/CXF-4934
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 2.7.3, 2.8.0
>         Environment: Spring framework ver 3.1.3.RELEASE
>            Reporter: Fran Pregernik
>            Priority: Minor
>              Labels: invoker, newbie, proxy, rest, springsecurity
>         Attachments: web-template.zip
>
>
> Hi,
> I am aware of other tickets regarding the proxy invocation issues.
> During development I noticed an exception popping up:
> IllegalArgumentException: object not instance of class
> I narrowed it down to AbstractInvoker.java:performInvocation(Exchange exchange, Object serviceObject, Method m, Object[] paramArray)
> This kept happening whenever I added a @Secured annotation to a rest method. This annotation caused a Spring Security AOP Proxy to be passed to the default Invoker (JAXRSInvoker.java) instead of the original target class. Which is fine.
> The problem (I think) is in the method performInvocation. The serviceObject parameter is a reference to the Proxy and not the target class causing the line:
> {noformat}
> return m.invoke(serviceObject, paramArray);
> {noformat}
> to fail with the above mentioned error.
> I resolved this by extending JAXRSInvoker and registering it via:
> {noformat}
> <jaxrs:invoker>
>     <bean class="hr.altima.web.security.SpringSecurityInvokerProxy"/>
> </jaxrs:invoker>
> {noformat}
> and overriding the performInvocation method like so:
> {noformat}
> public class SpringSecurityInvokerProxy extends JAXRSInvoker {
>     @Override
>     protected Object performInvocation(Exchange exchange, Object serviceObject, Method m, Object[] paramArray) throws Exception {
>         paramArray = insertExchange(m, paramArray, exchange);
>         if (serviceObject instanceof Proxy) {
>             try {
>                 return Proxy.getInvocationHandler(serviceObject).invoke(serviceObject, m, paramArray);
>             } catch (Throwable throwable) {
>                 throw new Exception("Proxy invocation threw an exception", throwable);
>             }
>         } else {
>             return m.invoke(serviceObject, paramArray);
>         }
>     }
> }
> {noformat}
> My reasoning is that you want to call the proxied method (security check) and not the target method directly but the call through proxies should be done differently.
> I am not saying this is the correct way to invoke proxies but it works for this situation although I prefer this to be built in the CXF lib.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira