cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CXF-6317) Authorization not possible with multiple service beans
Date Thu, 02 Apr 2015 13:29:58 GMT

     [ https://issues.apache.org/jira/browse/CXF-6317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sergey Beryozkin resolved CXF-6317.
-----------------------------------
       Resolution: Fixed
    Fix Version/s: 3.0.5
                   2.7.16
                   3.1.0
         Assignee: Sergey Beryozkin

> Authorization not possible with multiple service beans
> ------------------------------------------------------
>
>                 Key: CXF-6317
>                 URL: https://issues.apache.org/jira/browse/CXF-6317
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.7.15
>            Reporter: Jostein Gogstad
>            Assignee: Sergey Beryozkin
>             Fix For: 3.1.0, 2.7.16, 3.0.5
>
>
> Given a jaxrs:server with more than one serviceBean it is not possible to secure them
both.
> Take the following configuration (it's in blueprint, but it shouldn't matter):
> {code:xml}
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
>            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>            xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
>            xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
>            http://cxf.apache.org/blueprint/jaxrs http://cxf.apache.org/schemas/blueprint/jaxrs.xsd">
>     <jaxrs:server id="myservice" address="/service">
>         <jaxrs:inInterceptors>
>             <ref component-id="part1AuthorizationInterceptor"/>
>             <ref component-id="part2AuthorizationInterceptor"/>
>         </jaxrs:inInterceptors>
>         <jaxrs:serviceBeans>
>             <ref component-id="part1WebService"/>
>             <ref component-id="part2WebService"/>
>         </jaxrs:serviceBeans>
>         <jaxrs:providers>
>             <ref component-id="authenticationFilter"/>
>         </jaxrs:providers>
>     </jaxrs:server>
>     <bean id="part1WebService" class="com.example.Part1WebService"/>
>     <bean id="part2WebService" class="com.example.Part2WebService"/>
>     
>     <bean id="part1AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
>         <property name="securedObject" ref="part1WebService"/>
>     </bean>
>     <bean id="part2AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
>         <property name="securedObject" ref="part2WebService"/>
>     </bean>
> </blueprint>
> {code}
> Since {{org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor}} only secures
one object, we need two instances, one for each service bean.
> If you walk up {{SecureAnnotationsInterceptor}} constructor chain, you'll end up in [org.apache.cxf.phase.AbstractPhaseInterceptor|https://github.com/apache/cxf/blob/cxf-2.7.15/api/src/main/java/org/apache/cxf/phase/AbstractPhaseInterceptor.java#L89-L91]
(github link) where the interceptor's {{id}} is set to {{getClass().getName()}}. So now we
have two interceptors with the same id. When the interceptor chain is built in [org.apache.cxf.phase.PhaseInterceptorChain|https://github.com/apache/cxf/blob/cxf-2.7.15/api/src/main/java/org/apache/cxf/phase/PhaseInterceptorChain.java#L589-L596]
the second interceptor is ignored since it has the same id as the first one.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message