cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jostein Gogstad (JIRA)" <>
Subject [jira] [Created] (CXF-6317) Authorization not possible with multiple service beans
Date Tue, 24 Mar 2015 15:36:52 GMT
Jostein Gogstad created CXF-6317:

             Summary: Authorization not possible with multiple service beans
                 Key: CXF-6317
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS Security
            Reporter: Jostein Gogstad

Given a jaxrs:server with more than one serviceBean it is not possible to secure them both.

Take the following configuration (it's in blueprint, but it shouldn't matter):
<blueprint xmlns=""

    <jaxrs:server id="myservice" address="/service">
            <ref component-id="part1AuthorizationInterceptor"/>
            <ref component-id="part2AuthorizationInterceptor"/>
            <ref component-id="part1WebService"/>
            <ref component-id="part2WebService"/>
            <ref component-id="authenticationFilter"/>

    <bean id="part1WebService" class="com.example.Part1WebService"/>

    <bean id="part2WebService" class="com.example.Part2WebService"/>
    <bean id="part1AuthorizationInterceptor" class="">
        <property name="securedObject" ref="part1WebService"/>

    <bean id="part2AuthorizationInterceptor" class="">
        <property name="securedObject" ref="part2WebService"/>


Since {{}} only secures one
object, we need two instances, one for each service bean.

If you walk up {{SecureAnnotationsInterceptor}} constructor chain, you'll end up in [org.apache.cxf.phase.AbstractPhaseInterceptor|]
where the interceptor's {{id}} is set to {{getClass().getName()}}. So now we have two interceptors
with the same id. When the interceptor chain is built in [org.apache.cxf.phase.PhaseInterceptorChain|]
the second interceptor is ignored since it has the same id as the first one.

This message was sent by Atlassian JIRA

View raw message