cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Charles Moulliard (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CXF-6888) Behaviour is not what we can expect @RolesAllowed
Date Fri, 29 Apr 2016 16:02:13 GMT

     [ https://issues.apache.org/jira/browse/CXF-6888?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Charles Moulliard resolved CXF-6888.
------------------------------------
    Resolution: Fixed

I have resolved my issue.

The roles which are define for the Jetty Constraint object refers to which user can access
the path specified. If the role is not assigned to the user, then Jetty will return an error
HTTP 403 with the message "!role".

If the role associated to the user is correct, then jetty allows to access the resource and
next the interceptor will verify if the user is authorized or not. If he/she is not authorized,
then CXF will return an access denied error with an error HTTP 500.

> Behaviour is not what we can expect @RolesAllowed
> -------------------------------------------------
>
>                 Key: CXF-6888
>                 URL: https://issues.apache.org/jira/browse/CXF-6888
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.1.5
>            Reporter: Charles Moulliard
>         Attachments: temp-cxf-rolesallowed-issue.zip
>
>
> I have created a CXF JAX RS Unit test using version CXF 3.1.5 & Jetty 9 where the
Annotation @RolesAllowed is used like also Basic HTTP Authentication with the HashLoginModule
> REST Service
> {code}
> @Path("/customerservice/")
> public interface CustomerService {
>     @GET
>     @Path("/customers/{id}/")
>     @RolesAllowed({"user"})
>     Customer getCustomer(@PathParam("id") String id);
> {code}
> JAXRS Server
> {code} 
>         static {
>             SpringBusFactory factory = new SpringBusFactory();
>             Bus bus = factory.createBus("org/jboss/fuse/security/basic/config/ServerConfig.xml");
>             BusFactory.setDefaultBus(bus);
>         }
>           JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
>             // Configure the Interceptor responsible to scan the Classes, Interface in
order to detect @RolesAllowed Annotation
>             // and creating a RolesMap
>             SecureAnnotationsInterceptor sai = new SecureAnnotationsInterceptor();
>             sai.setSecuredObject(new CustomerServiceImpl());
>             sf.getInInterceptors().add(sai);
>             sf.setResourceClasses(CustomerServiceImpl.class);
>             sf.setProvider(new ValidationExceptionMapper());
>             sf.setResourceProvider(CustomerServiceImpl.class,
>                     new SingletonResourceProvider(new CustomerServiceImpl()));
>             sf.setAddress("http://localhost:" + PORT + "/");
> {code}
> Spring
> {code}
> <beans xmlns="http://www.springframework.org/schema/beans"
>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>        xmlns:sec="http://cxf.apache.org/configuration/security"
>        xmlns:http="http://cxf.apache.org/transports/http/configuration"
>        xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
>        xsi:schemaLocation="        http://cxf.apache.org/configuration/security     
            http://cxf.apache.org/schemas/configuration/security.xsd        http://cxf.apache.org/transports/http/configuration
       http://cxf.apache.org/schemas/configuration/http-conf.xsd        http://cxf.apache.org/transports/http-jetty/configuration
       http://cxf.apache.org/schemas/configuration/http-jetty.xsd        http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd">
>     <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>     <httpj:engine-factory bus="cxf">
>         <httpj:engine port="${testutil.ports.BasicAuthCxfRSRoleTest}">
>             <httpj:handlers>
>                 <bean class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>                     <property name="loginService" ref="securityLoginService"/>
>                     <property name="constraintMappings">
>                         <list>
>                             <ref bean="securityConstraintMapping"/>
>                         </list>
>                     </property>
>                 </bean>
>             </httpj:handlers>
>         </httpj:engine>
>     </httpj:engine-factory>
>     <bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
>         <property name="name" value="myrealm"/>
>         <property name="config"
>                   value="src/test/resources/org/jboss/fuse/security/basic/myrealm.props"/>
>     </bean>
>     <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
>         <property name="name" value="BASIC"/>
>         <property name="roles" value="user"/>
>         <property name="authenticate" value="true"/>
>     </bean>
>     <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
>         <property name="constraint" ref="securityConstraint"/>
>         <property name="pathSpec" value="/*"/>
>     </bean>
> </beans>
> {code}
> The test passes successfully if I define the roles property for the Jetty Security Constraint
--> <property name="roles" value="user"/> but will fail if I remove it as Jetty will
return a 403 error with "!role" message
> So, what I don't understand is that we have to set the roles property for the Jetty Contraint
while in fact we would like that the REST @RolesAllowed and SimpleAuthorizingInterceptor
> will check the roles of the user and accept or refuse to access the resource without
the help of Jetty
> Questions :
> - Is my config wrong ?
> - Can we configure Jetty + Constraint + ConstraintMap without setting Roles ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message