cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Veithen <andreas.veit...@gmail.com>
Subject Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5 ?
Date Wed, 17 Feb 2010 12:26:51 GMT
On Wed, Feb 17, 2010 at 05:47, johnrock <johnpiser@yahoo.com> wrote:
>
>
> Sergey Beryozkin-2 wrote:
>>
>> Hi
>>
>> 'Injectable' is a custom interface used by the test and its only purpose
>> is to ensure a JAXRS context instance (SecurityContext in
>> this case) is injected properly, given that the actual resource class
>> (SecureBookStore) is proxified by Spring. For cases like this
>> one, having a custom utility interface like Injectable IMHO is better than
>> adding methods like setSecurityContext on the application
>> interfaces like SecureBookInterface.
>>
>> cheers, Sergey
>>
>
> Thanks again for your help. I am still not able to get an authenticated user
> to pass through a secured method on my webservice. Spring Security is
> securing the method, but will not allow a user to enter that method even if
> the user is currently logged in with the correct ROLES.
>
> My implementation seems pretty close to the Test example, however, my
> 'beans.xml' is much simpler and  my spring security context is different. I
> am posting the cxf config, spring security config and my service bean
> interface in hopes that maybe something that I am doing wrong will jump out
> at you !

I think the best approach to solve this is to increase the log level
for Spring Security and try to understand where the access is denied.

> PS: I am passing the Context in to my method as a parameter thinking that is
> neccessary since Spring creates singleton beans and I need a context per
> request. Is that correct?

Note that there are actually three classes called "SecurityContext":
javax.ws.rs.core.SecurityContext,
org.apache.cxf.security.SecurityContext and
org.springframework.security.context.SecurityContext. Assuming that
your code refers to javax.ws.rs.core.SecurityContext, this will
definitely not work (out of the box), because CXF knows nothing about
Spring Security and so would be unable to build a
javax.ws.rs.core.SecurityContext instance.

Some time ago I wrote a component [1] that translates a
org.springframework.security.context.SecurityContext into a
org.apache.cxf.security.SecurityContext. The JAX-RS front-end will
then translate this into a javax.ws.rs.core.SecurityContext and inject
this object if required. However, the interceptor assumes that the
org.springframework.security.context.SecurityContext object is stored
in the current Exchange. Thus, one would have to implement another
interceptor to retrieve the context from Spring and add it to the
current Exchange. With this, CXF should integrate nicely with Spring
Security.

Another option is to use a Spring specific API, namely
SecurityContextHolder. Note that this does NOT use the singleton
pattern, but a thread local, so that you have a different context per
request.

[1] Look for <ssec:cxf-security-context-provider-interceptor> in
http://code.google.com/p/cxf-spring-security/wiki/Documentation


>
> cxf.xml
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans"
>       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>       xmlns:jaxrs="http://cxf.apache.org/jaxrs"
>       xmlns:cxf="http://cxf.apache.org/core"
>       xsi:schemaLocation="http://www.springframework.org/schema/beans
>            http://www.springframework.org/schema/beans/spring-beans.xsd
>            http://cxf.apache.org/jaxrs
>            http://cxf.apache.org/schemas/jaxrs.xsd
> http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd">
>
>
>    <import resource="classpath:META-INF/cxf/cxf.xml"/>
>    <import
> resource="classpath:META-INF/cxf/cxf-extension-jaxrs-binding.xml"/>
>    <import resource="classpath:META-INF/cxf/cxf-servlet.xml"/>
>
>
>    <!-- The service bean -->
>    <bean id="gatewayService" class="com.mg.webservice.GatewayServiceImpl">
>        <property name="userDao" ref="userDao" />
>         <property name="payloadService" ref="payloadService" />
>    </bean>
>
>    <jaxrs:server id="cxfgateway" address="/cxfgatewayaddress">
>        <jaxrs:serviceBeans>
>            <ref bean="gatewayService"/>
>        </jaxrs:serviceBeans>
> </beans>
>
>
> security.xml
>
>
> <beans:beans xmlns="http://www.springframework.org/schema/security"
>  xmlns:beans="http://www.springframework.org/schema/beans"
>  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>  xsi:schemaLocation="http://www.springframework.org/schema/beans
>                                http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
>                                http://www.springframework.org/schema/security
> http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
>
>
>    <global-method-security secured-annotations="enabled"
> access-decision-manager-ref="accessDecisionManager" />
>
>    <http  auto-config="false"
>        access-decision-manager-ref="accessDecisionManager"
>        access-denied-page="/accessDenied.html"
>        entry-point-ref="authenticationProcessingFilterEntryPoint"
>        lowercase-comparisons="true"
>        session-fixation-protection="migrateSession">
>
>
>        <intercept-url pattern="/favicon.ico" filters="none"/>
>    <intercept-url pattern="/css/*.css" filters="none"/>
>        <intercept-url pattern="/audio/*.*" filters="none"/>
>        <intercept-url pattern="/images/*.*" filters="none"/>
>        <intercept-url pattern="/images/*/*.*" filters="none"/>
>        <intercept-url pattern="/js/*.js" filters="none"/>
>
>    ....
>
>        <intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
>
>        <logout logout-success-url="/notLoggedIn.htm" logout-url
> ="/mglogout" />
>        <anonymous username="guest" granted-authority="ROLE_GUEST" />
>        <concurrent-session-control max-sessions="1" />
>    </http>
>
>
>    <authentication-manager alias="authenticationManager"/>
>
>    <authentication-provider  user-service-ref="userDao">
>        <password-encoder ref="passwordEncoder" >
>                <salt-source user-property="getId"/>
>        </password-encoder>
>    </authentication-provider>
>
>    <beans:bean id="passwordEncoder"
> class="org.springframework.security.providers.encoding.Md5PasswordEncoder">
>     </beans:bean>
>
>     <beans:bean id="saltSource"
> class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
>            <beans:property name="userPropertyToUse" value="getId"/>
>        </beans:bean>
>
>
>
> <beans:bean id="authenticationProcessingFilter"
> class="com.mg.security.mgAuthenticationProcessingFilter">
>                <custom-filter position="AUTHENTICATION_PROCESSING_FILTER"
 />
>                <beans:property name="filterProcessesUrl" value="/mglogin"
/>
>                <beans:property name="defaultTargetUrl" value="/loggedIn.htm"
/>
>                <beans:property name="alwaysUseDefaultTargetUrl" value="true"
/>
>                <beans:property name="authenticationFailureUrl" value="/loginfailure.htm"
> />
>                <beans:property name="authenticationManager" ref="authenticationManager"
> />
>                <beans:property name="userSessionDao" ref="userSessionDao"
/>
>                <beans:property name="notificationService" ref="notificationService"
/>
> </beans:bean>
>
> <beans:bean id="authenticationProcessingFilterEntryPoint"
> class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
>                <beans:property name="loginFormUrl" value="/login.htm" />
>                <beans:property name="forceHttps" value="false" />
> </beans:bean>
>
>
>    <beans:bean id="accessDecisionManager"
>        class="org.springframework.security.vote.AffirmativeBased">
>        <beans:property name="decisionVoters">
>            <beans:list>
>                <beans:bean
> class="org.springframework.security.vote.RoleVoter" />
>                <beans:bean
> class="org.springframework.security.vote.AuthenticatedVoter" />
>            </beans:list>
>        </beans:property>
>    </beans:bean>
> </beans:beans>
>
>
> Service Interface:
>
>
> @Path("/enter")
> @Produces("application/XML")
> public interface GatewayService {
>
>    @GET
>    @Path("/recentQuestions/{firstResult}")
>    public List<Question> getRecentQuestions(@PathParam("firstResult") int
> firstResult);
>
>    @GET
>    @Path("/convo/{nId}/{qId}")
>    public ActiveDisplay readConversation (@PathParam("nId")Long nId,
> @PathParam("qId")Long qId);
>
>
>    @GET
>    @Path("/payload")
>    @Secured({"ROLE_USER","ROLE_ADMIN"})
>    public Response makePayload(@Context SecurityContext securityContext,
> @Context Request request, @Context HttpServletRequest httpServletRequest);
>
> }
>
> --
> View this message in context: http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27619097.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>

Mime
View raw message