Return-Path: X-Original-To: apmail-cxf-issues-archive@www.apache.org Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7306719186 for ; Fri, 29 Apr 2016 14:40:13 +0000 (UTC) Received: (qmail 14901 invoked by uid 500); 29 Apr 2016 14:40:13 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 14868 invoked by uid 500); 29 Apr 2016 14:40:13 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 14700 invoked by uid 99); 29 Apr 2016 14:40:13 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Apr 2016 14:40:13 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id F22DC2C1F54 for ; Fri, 29 Apr 2016 14:40:12 +0000 (UTC) Date: Fri, 29 Apr 2016 14:40:12 +0000 (UTC) From: "Sergey Beryozkin (JIRA)" To: issues@cxf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CXF-6888) Behaviour is not what we can expect @RolesAllowed MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CXF-6888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15264129#comment-15264129 ] Sergey Beryozkin commented on CXF-6888: --------------------------------------- We have a test running against this configuration: https://github.com/apache/cxf/blob/master/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml I've never tried it with a standalone Jetty though, all we'd need from Jetty is preparing a principal with the roles set up and then CXF would enforce the roles restrictions. So I guess I'd rather need to configure Jetty only do JAAS and remove an actual security constraint because if it is in then it is enforced before CXF is reached. If you do prefer to keep (ex, enforce it is Basic auth) then set roles to a wildcard value (as recognized by Jetty) so that CXF does the actual roles check... > Behaviour is not what we can expect @RolesAllowed > ------------------------------------------------- > > Key: CXF-6888 > URL: https://issues.apache.org/jira/browse/CXF-6888 > Project: CXF > Issue Type: Bug > Affects Versions: 3.1.5 > Reporter: Charles Moulliard > Attachments: temp-cxf-rolesallowed-issue.zip > > > I have created a CXF JAX RS Unit test using version CXF 3.1.5 & Jetty 9 where the Annotation @RolesAllowed is used like also Basic HTTP Authentication with the HashLoginModule > REST Service > {code} > @Path("/customerservice/") > public interface CustomerService { > @GET > @Path("/customers/{id}/") > @RolesAllowed({"user"}) > Customer getCustomer(@PathParam("id") String id); > {code} > JAXRS Server > {code} > static { > SpringBusFactory factory = new SpringBusFactory(); > Bus bus = factory.createBus("org/jboss/fuse/security/basic/config/ServerConfig.xml"); > BusFactory.setDefaultBus(bus); > } > JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean(); > // Configure the Interceptor responsible to scan the Classes, Interface in order to detect @RolesAllowed Annotation > // and creating a RolesMap > SecureAnnotationsInterceptor sai = new SecureAnnotationsInterceptor(); > sai.setSecuredObject(new CustomerServiceImpl()); > sf.getInInterceptors().add(sai); > sf.setResourceClasses(CustomerServiceImpl.class); > sf.setProvider(new ValidationExceptionMapper()); > sf.setResourceProvider(CustomerServiceImpl.class, > new SingletonResourceProvider(new CustomerServiceImpl())); > sf.setAddress("http://localhost:" + PORT + "/"); > {code} > Spring > {code} > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xmlns:sec="http://cxf.apache.org/configuration/security" > xmlns:http="http://cxf.apache.org/transports/http/configuration" > xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" > xsi:schemaLocation=" http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> > > > > > > > > > > > > > > > > > > value="src/test/resources/org/jboss/fuse/security/basic/myrealm.props"/> > > > > > > > > > > > > {code} > The test passes successfully if I define the roles property for the Jetty Security Constraint --> but will fail if I remove it as Jetty will return a 403 error with "!role" message > So, what I don't understand is that we have to set the roles property for the Jetty Contraint while in fact we would like that the REST @RolesAllowed and SimpleAuthorizingInterceptor > will check the roles of the user and accept or refuse to access the resource without the help of Jetty > Questions : > - Is my config wrong ? > - Can we configure Jetty + Constraint + ConstraintMap without setting Roles ? -- This message was sent by Atlassian JIRA (v6.3.4#6332)