cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6888) Behaviour is not what we can expect @RolesAllowed
Date Fri, 29 Apr 2016 14:40:12 GMT

    [ https://issues.apache.org/jira/browse/CXF-6888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15264129#comment-15264129
] 

Sergey Beryozkin commented on CXF-6888:
---------------------------------------

We have a test running against this configuration:

https://github.com/apache/cxf/blob/master/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml

I've never tried it with a standalone Jetty though, all we'd need from Jetty is preparing
a principal with the roles set up and then CXF would enforce the roles restrictions. So I
guess I'd rather need to configure Jetty only do JAAS and remove an actual security constraint
because if it is in then it is enforced before CXF is reached.

If you do prefer to keep (ex, enforce it is Basic auth) then set roles to a wildcard value
(as recognized by Jetty) so that CXF does the actual roles check...

> Behaviour is not what we can expect @RolesAllowed
> -------------------------------------------------
>
>                 Key: CXF-6888
>                 URL: https://issues.apache.org/jira/browse/CXF-6888
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.1.5
>            Reporter: Charles Moulliard
>         Attachments: temp-cxf-rolesallowed-issue.zip
>
>
> I have created a CXF JAX RS Unit test using version CXF 3.1.5 & Jetty 9 where the
Annotation @RolesAllowed is used like also Basic HTTP Authentication with the HashLoginModule
> REST Service
> {code}
> @Path("/customerservice/")
> public interface CustomerService {
>     @GET
>     @Path("/customers/{id}/")
>     @RolesAllowed({"user"})
>     Customer getCustomer(@PathParam("id") String id);
> {code}
> JAXRS Server
> {code} 
>         static {
>             SpringBusFactory factory = new SpringBusFactory();
>             Bus bus = factory.createBus("org/jboss/fuse/security/basic/config/ServerConfig.xml");
>             BusFactory.setDefaultBus(bus);
>         }
>           JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
>             // Configure the Interceptor responsible to scan the Classes, Interface in
order to detect @RolesAllowed Annotation
>             // and creating a RolesMap
>             SecureAnnotationsInterceptor sai = new SecureAnnotationsInterceptor();
>             sai.setSecuredObject(new CustomerServiceImpl());
>             sf.getInInterceptors().add(sai);
>             sf.setResourceClasses(CustomerServiceImpl.class);
>             sf.setProvider(new ValidationExceptionMapper());
>             sf.setResourceProvider(CustomerServiceImpl.class,
>                     new SingletonResourceProvider(new CustomerServiceImpl()));
>             sf.setAddress("http://localhost:" + PORT + "/");
> {code}
> Spring
> {code}
> <beans xmlns="http://www.springframework.org/schema/beans"
>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>        xmlns:sec="http://cxf.apache.org/configuration/security"
>        xmlns:http="http://cxf.apache.org/transports/http/configuration"
>        xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
>        xsi:schemaLocation="        http://cxf.apache.org/configuration/security     
            http://cxf.apache.org/schemas/configuration/security.xsd        http://cxf.apache.org/transports/http/configuration
       http://cxf.apache.org/schemas/configuration/http-conf.xsd        http://cxf.apache.org/transports/http-jetty/configuration
       http://cxf.apache.org/schemas/configuration/http-jetty.xsd        http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd">
>     <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>     <httpj:engine-factory bus="cxf">
>         <httpj:engine port="${testutil.ports.BasicAuthCxfRSRoleTest}">
>             <httpj:handlers>
>                 <bean class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>                     <property name="loginService" ref="securityLoginService"/>
>                     <property name="constraintMappings">
>                         <list>
>                             <ref bean="securityConstraintMapping"/>
>                         </list>
>                     </property>
>                 </bean>
>             </httpj:handlers>
>         </httpj:engine>
>     </httpj:engine-factory>
>     <bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
>         <property name="name" value="myrealm"/>
>         <property name="config"
>                   value="src/test/resources/org/jboss/fuse/security/basic/myrealm.props"/>
>     </bean>
>     <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
>         <property name="name" value="BASIC"/>
>         <property name="roles" value="user"/>
>         <property name="authenticate" value="true"/>
>     </bean>
>     <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
>         <property name="constraint" ref="securityConstraint"/>
>         <property name="pathSpec" value="/*"/>
>     </bean>
> </beans>
> {code}
> The test passes successfully if I define the roles property for the Jetty Security Constraint
--> <property name="roles" value="user"/> but will fail if I remove it as Jetty will
return a 403 error with "!role" message
> So, what I don't understand is that we have to set the roles property for the Jetty Contraint
while in fact we would like that the REST @RolesAllowed and SimpleAuthorizingInterceptor
> will check the roles of the user and accept or refuse to access the resource without
the help of Jetty
> Questions :
> - Is my config wrong ?
> - Can we configure Jetty + Constraint + ConstraintMap without setting Roles ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message