cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikhil Kakade <>
Subject @Scopes annotation not working for method
Date Fri, 13 Jan 2017 05:33:07 GMT

I am using Apache cxf OAuth2 for securing my jax-rs APIs. I am using cxf
3.1.5 version. As per described in documentation here

starting from Apache cxf 3.1.5 @Scopes can be used for more fined-grained
scope handling. I am successfully able to generate access token for
specific approved scope. when I try to access my API by using this token,
ideally it should not allow me to access API since it has different access
scope mentioned in @Scopes annotation. But its allowing me to access this

This is my API:

exportSheets(@QueryParam("userId") Integer userId);

This is access token which I am using to access this API

    "tokenKey": "f2154782f82947318d1fc363e4309fa6",
    "tokenType": "Bearer",
    "expiresIn": 3600,
    "issuedAt": -1,
    "parameters": {},
    "approvedScope": "read"

As you can see, token contains approvedScope as read where API has
testScope1. Even if this scopes are not matching, it's allowing me to
access my API.

This is test configuration I have done for creating server endpoint.

@Bean@DependsOn("cxf")public Server ornateTestAPIs(){
    JAXRSServerFactoryBean factory=jaxRSServerFactory();


    factory.setProviders(Arrays.asList(jsonProvider(), new
VcAPIExceptionMapper(), oauthRequestFilter(), oauthScopesFilter());
    factory.setFeatures(Arrays.asList(swaggerFeature(), timingFeature));
            Arrays.<Interceptor<? extends Message>>asList(new
            Arrays.<Interceptor<? extends Message>>asList(new
    return factory.create();}
public OAuthRequestFilter oauthRequestFilter(){
    OAuthRequestFilter requestFilter=new OAuthRequestFilter();
    return requestFilter;}public OAuthScopesFilter oauthScopesFilter(){
    return new OAuthScopesFilter();}

As you can see, I have added OAuthScopeFilter and OAuthRequestFilter in
providers. This is my pom


Best regards,
Nikhil Kakade

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message