cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikhil Kakade <nik...@velvetcase.com>
Subject @Scopes annotation not working for method
Date Fri, 13 Jan 2017 05:33:07 GMT
Hi,

I am using Apache cxf OAuth2 for securing my jax-rs APIs. I am using cxf
3.1.5 version. As per described in documentation here
<http://cxf.apache.org/docs/jax-rs-oauth2.html>

starting from Apache cxf 3.1.5 @Scopes can be used for more fined-grained
scope handling. I am successfully able to generate access token for
specific approved scope. when I try to access my API by using this token,
ideally it should not allow me to access API since it has different access
scope mentioned in @Scopes annotation. But its allowing me to access this
API.

This is my API:

@GET@Consumes(MediaType.APPLICATION_JSON)@Produces(MediaType.APPLICATION_JSON)@Path("/exportSheets")@Scopes("testScope1")@ConfidentialClientString
exportSheets(@QueryParam("userId") Integer userId);

This is access token which I am using to access this API

    {
    "tokenKey": "f2154782f82947318d1fc363e4309fa6",
    "tokenType": "Bearer",
    "expiresIn": 3600,
    "issuedAt": -1,
    "parameters": {},
    "approvedScope": "read"
    }

As you can see, token contains approvedScope as read where API has
testScope1. Even if this scopes are not matching, it's allowing me to
access my API.

This is test configuration I have done for creating server endpoint.

@Bean@DependsOn("cxf")public Server ornateTestAPIs(){
    JAXRSServerFactoryBean factory=jaxRSServerFactory();

    factory.setAddress("/test");

    factory.setServiceBeans(Arrays.asList(testApis));
    factory.setProviders(Arrays.asList(jsonProvider(), new
VcAPIExceptionMapper(), oauthRequestFilter(), oauthScopesFilter());
    factory.setFeatures(Arrays.asList(swaggerFeature(), timingFeature));
    factory.setInInterceptors(
            Arrays.<Interceptor<? extends Message>>asList(new
JAXRSBeanValidationInInterceptor()));
    factory.setOutInterceptors(
            Arrays.<Interceptor<? extends Message>>asList(new
JAXRSBeanValidationOutInterceptor()));
    return factory.create();}
public OAuthRequestFilter oauthRequestFilter(){
    OAuthRequestFilter requestFilter=new OAuthRequestFilter();
    requestFilter.setDataProvider(oAuthDataProviderImpl());
    return requestFilter;}public OAuthScopesFilter oauthScopesFilter(){
    return new OAuthScopesFilter();}

As you can see, I have added OAuthScopeFilter and OAuthRequestFilter in
providers. This is my pom

<dependency>
    <groupId>org.apache.cxf</groupId>
    <artifactId>cxf-rt-rs-security-oauth2</artifactId>
    <version>3.1.9</version></dependency><dependency>
    <groupId>org.apache.cxf</groupId>
    <artifactId>cxf-rt-rs-security-cors</artifactId>
    <version>3.1.9</version></dependency><dependency>
    <groupId>org.apache.cxf</groupId>
    <artifactId>cxf-rt-frontend-jaxrs</artifactId>
    <version>3.1.5</version></dependency><dependency>
    <groupId>org.apache.cxf</groupId>
    <artifactId>cxf-rt-rs-service-description</artifactId>
    <version>3.1.5</version></dependency>


-- 
Best regards,
Nikhil Kakade

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message