incubator-wink-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cameron Dalton <Cameron.Dal...@eim-usa.com>
Subject RE: using security annotations (e.g. @RolesAllowed, @DenyAll)
Date Tue, 26 Jul 2011 12:46:50 GMT
Bryant,

Thanks for the tip!  I implemented a request handler, and after lots of searching I was finally
able to locate the target method so I could look up the annotations.  (If anyone cares, that's
MessageContext > SearchResult (via MessageContext's attributes) MethodRecord > MethodMetadata
> Method).

Now, I'm struggling with how to get a 403 Forbidden response back to the client when necessary
based on the method's JSR-250 annotation.  I haven't been able to find a javax.ws.rs.core.Response
anywhere in the MessageContext.

MessageContext does provide setResponseStatusCode() and setResponseEntity(), however calling
setResponseStatusCode(403) does not impact the response I receive at the client; I still get
a 200 OK response.  I can lookup the HttpServletResponse from the MessageContext and set the
status code directly using HttpServletResponse.setStatus() and that works fine, however it
just seems...wrong.  Shouldn't I be setting or updating a javax.ws.rs.core.Response somewhere
which will later be mapped to the HttpServletResponse?  I'm worried that if I update HttpServletResponse
directly, especially this early in the entire process (user request handlers), then that's
sort of breaking the paradigm and something else may overwrite what I do to the HttpServletResponse.

Any ideas on the "right" way to set or update the Response from a request handler?

Thanks again for the help.

Cameron


-----Original Message-----
From: Bryant Luk [mailto:bryant.luk@gmail.com] 
Sent: Monday, July 25, 2011 4:39 PM
To: wink-user@incubator.apache.org
Subject: Re: using security annotations (e.g. @RolesAllowed, @DenyAll)

Wink as-is does not have a handler for JSR-250 annotations. You can create a request handler
to do this if you want. The request handler can look at all the annotations available on a
method. Patches would be welcome too.

On Fri, Jul 22, 2011 at 9:41 AM, Cameron Dalton <Cameron.Dalton@eim-usa.com> wrote:
> Good morning,
>
>
>
> I'm just starting with some JAX-RS using Apache Wink in my project, 
> and I'm having trouble with the security annotations.
>
>
>
> I'm trying to use a @RolesAllowed annotation on a method to restrict 
> access to only users in those roles.  However, users not in those 
> roles are able to invoke the method as well.  I checked the request's 
> isUserInRole from inside the method by injecting the request and 
> invoking request.isUserInRole myself and that behaves as expected, while the @RolesAllowed
annotation does not.
> Furthermore, I changed the @RolesAllowed annotation to @DenyAll and 
> STILL all users are able to invoke the method - in my mind, that last 
> test takes out any variables concerning the request and the 
> isUserInRole method and points squarely to something I'm doing wrong 
> with the Apache Wink setup or the annotations.
>
>
>
> What could I be doing wrong?  What is missing?  I have secured the url 
> pattern /* in web.xml by restricting it to all authenticated users.  
> Here's my method signature with the annotations:
>
>
>
>         @GET
>
>         @DenyAll
>
>         @Produces({ MediaType.APPLICATION_JSON})
>
>         public List<InboxField> getCasesBySearch(@Context 
> HttpServletRequest request, @PathParam("keywords") String keywords) { ...
>
>
>
> Thank you so much for your help.
>
>
>
> Cameron
>
>

Mime
View raw message