[
https://issues.apache.org/jira/browse/CXF-2345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12732616#action_12732616
]
Hendy Irawan commented on CXF-2345:
-----------------------------------
Thank you Sergey for your excellent explanation. That definitely clears up
everything.
I mistook your #2 point above as putting annotations on all methods on the
subresource class, as opposed to what you suggested putting the annotation on
the rootresource method.
In fact, my use case is that the rootresource class itself is secured, so I
guess that means in my specific use case, there's actually no need to protect
any of its methods and its subresources, is my assumption is correct?
Your explanation is so excellent it begs inclusion in :
http://cwiki.apache.org/CXF20DOC/jax-rs.html
There is very little discussion (or more accurately: example) on security there.
I'm new with JSR-250 security annotations but currently I'm thinking that for
me, it's a best practice approach to use CXF with Spring, Spring AOP, Spring
Security Tiger, and JSR-250, for all security/authn/authz needs.
Regarding injecting a SubResource to a property, I couldn't do it because the
subresource bean is a prototype one. It's still possible to, say, inject a
factory of SubResource to the RootResource property, and then invoke that
factory upon RootResource.getSubResource() call, but I guess that's too much
jumping hoops. ;-)
> Returning AOP/CGLIB proxy as Subresource throws Fault "object is not an
> instance of declaring class"
> ----------------------------------------------------------------------------------------------------
>
> Key: CXF-2345
> URL: https://issues.apache.org/jira/browse/CXF-2345
> Project: CXF
> Issue Type: Bug
> Components: REST
> Affects Versions: 2.2.2
> Reporter: Hendy Irawan
> Assignee: Sergey Beryozkin
> Fix For: 2.2.3, 2.3
>
>
> Test case:
> RootResource.java :
> public class RootResource {
> @Path("subresource")
> public abstract SubResource getSubResource();
> }
> In spring-beans.xml:
> <bean class="RootResource">
> <lookup-method name="getSubResource" bean="subResource" />
> </bean>
> <bean id="subResource" class="SubResource" />
> Then the AOP proxied SubResource:
> @RolesAllowed({"ROLE_USER"}) // activate Spring Security global method
> annotations
> public class SubResource {
> }
> Getting the /subresource will throw exception:
> org.apache.cxf.interceptor.Fault: object is not an instance of declaring
> class while invoking
> Tried this workaround but not working: Make SubResource implement an
> interface then on RootResource.getSubResource() use interface as the return
> type, not the class
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
