cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6888) Behaviour is not what we can expect @RolesAllowed
Date Fri, 29 Apr 2016 16:05:13 GMT

    [ https://issues.apache.org/jira/browse/CXF-6888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15264252#comment-15264252
] 

Sergey Beryozkin commented on CXF-6888:
---------------------------------------

You can register JAASAuthenticationFilter instead (as jaxrs:provider) and it will report a
proper 403. Or keep the interceptor as it also works for JAXWS. but register an ExceptionMapper
converting the exception to 403

> Behaviour is not what we can expect @RolesAllowed
> -------------------------------------------------
>
>                 Key: CXF-6888
>                 URL: https://issues.apache.org/jira/browse/CXF-6888
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.1.5
>            Reporter: Charles Moulliard
>         Attachments: temp-cxf-rolesallowed-issue.zip
>
>
> I have created a CXF JAX RS Unit test using version CXF 3.1.5 & Jetty 9 where the
Annotation @RolesAllowed is used like also Basic HTTP Authentication with the HashLoginModule
> REST Service
> {code}
> @Path("/customerservice/")
> public interface CustomerService {
>     @GET
>     @Path("/customers/{id}/")
>     @RolesAllowed({"user"})
>     Customer getCustomer(@PathParam("id") String id);
> {code}
> JAXRS Server
> {code} 
>         static {
>             SpringBusFactory factory = new SpringBusFactory();
>             Bus bus = factory.createBus("org/jboss/fuse/security/basic/config/ServerConfig.xml");
>             BusFactory.setDefaultBus(bus);
>         }
>           JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
>             // Configure the Interceptor responsible to scan the Classes, Interface in
order to detect @RolesAllowed Annotation
>             // and creating a RolesMap
>             SecureAnnotationsInterceptor sai = new SecureAnnotationsInterceptor();
>             sai.setSecuredObject(new CustomerServiceImpl());
>             sf.getInInterceptors().add(sai);
>             sf.setResourceClasses(CustomerServiceImpl.class);
>             sf.setProvider(new ValidationExceptionMapper());
>             sf.setResourceProvider(CustomerServiceImpl.class,
>                     new SingletonResourceProvider(new CustomerServiceImpl()));
>             sf.setAddress("http://localhost:" + PORT + "/");
> {code}
> Spring
> {code}
> <beans xmlns="http://www.springframework.org/schema/beans"
>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>        xmlns:sec="http://cxf.apache.org/configuration/security"
>        xmlns:http="http://cxf.apache.org/transports/http/configuration"
>        xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
>        xsi:schemaLocation="        http://cxf.apache.org/configuration/security     
            http://cxf.apache.org/schemas/configuration/security.xsd        http://cxf.apache.org/transports/http/configuration
       http://cxf.apache.org/schemas/configuration/http-conf.xsd        http://cxf.apache.org/transports/http-jetty/configuration
       http://cxf.apache.org/schemas/configuration/http-jetty.xsd        http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd">
>     <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>     <httpj:engine-factory bus="cxf">
>         <httpj:engine port="${testutil.ports.BasicAuthCxfRSRoleTest}">
>             <httpj:handlers>
>                 <bean class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>                     <property name="loginService" ref="securityLoginService"/>
>                     <property name="constraintMappings">
>                         <list>
>                             <ref bean="securityConstraintMapping"/>
>                         </list>
>                     </property>
>                 </bean>
>             </httpj:handlers>
>         </httpj:engine>
>     </httpj:engine-factory>
>     <bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
>         <property name="name" value="myrealm"/>
>         <property name="config"
>                   value="src/test/resources/org/jboss/fuse/security/basic/myrealm.props"/>
>     </bean>
>     <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
>         <property name="name" value="BASIC"/>
>         <property name="roles" value="user"/>
>         <property name="authenticate" value="true"/>
>     </bean>
>     <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
>         <property name="constraint" ref="securityConstraint"/>
>         <property name="pathSpec" value="/*"/>
>     </bean>
> </beans>
> {code}
> The test passes successfully if I define the roles property for the Jetty Security Constraint
--> <property name="roles" value="user"/> but will fail if I remove it as Jetty will
return a 403 error with "!role" message
> So, what I don't understand is that we have to set the roles property for the Jetty Contraint
while in fact we would like that the REST @RolesAllowed and SimpleAuthorizingInterceptor
> will check the roles of the user and accept or refuse to access the resource without
the help of Jetty
> Questions :
> - Is my config wrong ?
> - Can we configure Jetty + Constraint + ConstraintMap without setting Roles ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message