[jira] [Updated] (CXF-6888) Behaviour is not what we can expect @RolesAllowed

[Charles Moulliard (JIRA)]

     [ 
https://issues.apache.org/jira/browse/CXF-6888?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Charles Moulliard updated CXF-6888:
-----------------------------------
    Description: 
I have created a CXF JAX RS Unit test using version CXF 3.1.5 & Jetty 9 where 
the Annotation @RolesAllowed is used like also Basic HTTP Authentication with 
the HashLoginModule

REST Service

{code}
@Path("/customerservice/")
public interface CustomerService {

    @GET
    @Path("/customers/{id}/")
    @RolesAllowed({"user"})
    Customer getCustomer(@PathParam("id") String id);
{code}

JAXRS Server
{code} 
        static {
            SpringBusFactory factory = new SpringBusFactory();
            Bus bus = 
factory.createBus("org/jboss/fuse/security/basic/config/ServerConfig.xml");
            BusFactory.setDefaultBus(bus);
        }

          JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();

            // Configure the Interceptor responsible to scan the Classes, 
Interface in order to detect @RolesAllowed Annotation
            // and creating a RolesMap
            SecureAnnotationsInterceptor sai = new 
SecureAnnotationsInterceptor();
            sai.setSecuredObject(new CustomerServiceImpl());
            sf.getInInterceptors().add(sai);

            sf.setResourceClasses(CustomerServiceImpl.class);
            sf.setProvider(new ValidationExceptionMapper());
            sf.setResourceProvider(CustomerServiceImpl.class,
                    new SingletonResourceProvider(new CustomerServiceImpl()));

            sf.setAddress("http://localhost:"; + PORT + "/");
{code}

Spring
{code}
<beans xmlns="http://www.springframework.org/schema/beans";
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
       xmlns:sec="http://cxf.apache.org/configuration/security";
       xmlns:http="http://cxf.apache.org/transports/http/configuration";
       xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration";
       xsi:schemaLocation="        http://cxf.apache.org/configuration/security 
                 http://cxf.apache.org/schemas/configuration/security.xsd       
 http://cxf.apache.org/transports/http/configuration        
http://cxf.apache.org/schemas/configuration/http-conf.xsd        
http://cxf.apache.org/transports/http-jetty/configuration        
http://cxf.apache.org/schemas/configuration/http-jetty.xsd        
http://www.springframework.org/schema/beans        
http://www.springframework.org/schema/beans/spring-beans.xsd";>
    <bean 
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
    <httpj:engine-factory bus="cxf">
        <httpj:engine port="${testutil.ports.BasicAuthCxfRSRoleTest}">
            <httpj:handlers>
                <bean 
class="org.eclipse.jetty.security.ConstraintSecurityHandler">
                    <property name="loginService" ref="securityLoginService"/>
                    <property name="constraintMappings">
                        <list>
                            <ref bean="securityConstraintMapping"/>
                        </list>
                    </property>
                </bean>
            </httpj:handlers>
        </httpj:engine>

    </httpj:engine-factory>
    <bean id="securityLoginService" 
class="org.eclipse.jetty.security.HashLoginService">
        <property name="name" value="myrealm"/>
        <property name="config"
                  
value="src/test/resources/org/jboss/fuse/security/basic/myrealm.props"/>
    </bean>
    <bean id="securityConstraint" 
class="org.eclipse.jetty.util.security.Constraint">
        <property name="name" value="BASIC"/>
        <property name="roles" value="user"/>
        <property name="authenticate" value="true"/>
    </bean>
    <bean id="securityConstraintMapping" 
class="org.eclipse.jetty.security.ConstraintMapping">
        <property name="constraint" ref="securityConstraint"/>
        <property name="pathSpec" value="/*"/>
    </bean>
</beans>
{code}


The test passes successfully if I define the roles property for the Jetty 
Security Constraint --> <property name="roles" value="user"/> but will fail if 
I remove it as Jetty will return a 403 error with "!role" message

So, what I don't understand is that we have to set the roles property for the 
Jetty Contraint while in fact we would like that the REST @RolesAllowed and 
SimpleAuthorizingInterceptor
will check the roles of the user and accept or refuse to access the resource 
without the help of Jetty

Questions :

- Is my config wrong ?
- Can we configure Jetty + Constraint + ConstraintMap without setting Roles ?


  was:TODO


> Behaviour is not what we can expect @RolesAllowed
> -------------------------------------------------
>
>                 Key: CXF-6888
>                 URL: https://issues.apache.org/jira/browse/CXF-6888
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.1.5
>            Reporter: Charles Moulliard
>         Attachments: temp-cxf-rolesallowed-issue.zip
>
>
> I have created a CXF JAX RS Unit test using version CXF 3.1.5 & Jetty 9 where 
> the Annotation @RolesAllowed is used like also Basic HTTP Authentication with 
> the HashLoginModule
> REST Service
> {code}
> @Path("/customerservice/")
> public interface CustomerService {
>     @GET
>     @Path("/customers/{id}/")
>     @RolesAllowed({"user"})
>     Customer getCustomer(@PathParam("id") String id);
> {code}
> JAXRS Server
> {code} 
>         static {
>             SpringBusFactory factory = new SpringBusFactory();
>             Bus bus = 
> factory.createBus("org/jboss/fuse/security/basic/config/ServerConfig.xml");
>             BusFactory.setDefaultBus(bus);
>         }
>           JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
>             // Configure the Interceptor responsible to scan the Classes, 
> Interface in order to detect @RolesAllowed Annotation
>             // and creating a RolesMap
>             SecureAnnotationsInterceptor sai = new 
> SecureAnnotationsInterceptor();
>             sai.setSecuredObject(new CustomerServiceImpl());
>             sf.getInInterceptors().add(sai);
>             sf.setResourceClasses(CustomerServiceImpl.class);
>             sf.setProvider(new ValidationExceptionMapper());
>             sf.setResourceProvider(CustomerServiceImpl.class,
>                     new SingletonResourceProvider(new CustomerServiceImpl()));
>             sf.setAddress("http://localhost:"; + PORT + "/");
> {code}
> Spring
> {code}
> <beans xmlns="http://www.springframework.org/schema/beans";
>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>        xmlns:sec="http://cxf.apache.org/configuration/security";
>        xmlns:http="http://cxf.apache.org/transports/http/configuration";
>        xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration";
>        xsi:schemaLocation="        
> http://cxf.apache.org/configuration/security                  
> http://cxf.apache.org/schemas/configuration/security.xsd        
> http://cxf.apache.org/transports/http/configuration        
> http://cxf.apache.org/schemas/configuration/http-conf.xsd        
> http://cxf.apache.org/transports/http-jetty/configuration        
> http://cxf.apache.org/schemas/configuration/http-jetty.xsd        
> http://www.springframework.org/schema/beans        
> http://www.springframework.org/schema/beans/spring-beans.xsd";>
>     <bean 
> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>     <httpj:engine-factory bus="cxf">
>         <httpj:engine port="${testutil.ports.BasicAuthCxfRSRoleTest}">
>             <httpj:handlers>
>                 <bean 
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>                     <property name="loginService" ref="securityLoginService"/>
>                     <property name="constraintMappings">
>                         <list>
>                             <ref bean="securityConstraintMapping"/>
>                         </list>
>                     </property>
>                 </bean>
>             </httpj:handlers>
>         </httpj:engine>
>     </httpj:engine-factory>
>     <bean id="securityLoginService" 
> class="org.eclipse.jetty.security.HashLoginService">
>         <property name="name" value="myrealm"/>
>         <property name="config"
>                   
> value="src/test/resources/org/jboss/fuse/security/basic/myrealm.props"/>
>     </bean>
>     <bean id="securityConstraint" 
> class="org.eclipse.jetty.util.security.Constraint">
>         <property name="name" value="BASIC"/>
>         <property name="roles" value="user"/>
>         <property name="authenticate" value="true"/>
>     </bean>
>     <bean id="securityConstraintMapping" 
> class="org.eclipse.jetty.security.ConstraintMapping">
>         <property name="constraint" ref="securityConstraint"/>
>         <property name="pathSpec" value="/*"/>
>     </bean>
> </beans>
> {code}
> The test passes successfully if I define the roles property for the Jetty 
> Security Constraint --> <property name="roles" value="user"/> but will fail 
> if I remove it as Jetty will return a 403 error with "!role" message
> So, what I don't understand is that we have to set the roles property for the 
> Jetty Contraint while in fact we would like that the REST @RolesAllowed and 
> SimpleAuthorizingInterceptor
> will check the roles of the user and accept or refuse to access the resource 
> without the help of Jetty
> Questions :
> - Is my config wrong ?
> - Can we configure Jetty + Constraint + ConstraintMap without setting Roles ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)