[jira] [Commented] (CXF-6888) Behaviour is not what we can expect @RolesAllowed

Fri, 29 Apr 2016 07:40:54 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-6888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15264129#comment-15264129
 ] 

Sergey Beryozkin commented on CXF-6888:
---------------------------------------

We have a test running against this configuration:

https://github.com/apache/cxf/blob/master/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/beans.xml

I've never tried it with a standalone Jetty though, all we'd need from Jetty is 
preparing a principal with the roles set up and then CXF would enforce the 
roles restrictions. So I guess I'd rather need to configure Jetty only do JAAS 
and remove an actual security constraint because if it is in then it is 
enforced before CXF is reached.

If you do prefer to keep (ex, enforce it is Basic auth) then set roles to a 
wildcard value (as recognized by Jetty) so that CXF does the actual roles 
check...

> Behaviour is not what we can expect @RolesAllowed
> -------------------------------------------------
>
>                 Key: CXF-6888
>                 URL: https://issues.apache.org/jira/browse/CXF-6888
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.1.5
>            Reporter: Charles Moulliard
>         Attachments: temp-cxf-rolesallowed-issue.zip
>
>
> I have created a CXF JAX RS Unit test using version CXF 3.1.5 & Jetty 9 where 
> the Annotation @RolesAllowed is used like also Basic HTTP Authentication with 
> the HashLoginModule
> REST Service
> {code}
> @Path("/customerservice/")
> public interface CustomerService {
>     @GET
>     @Path("/customers/{id}/")
>     @RolesAllowed({"user"})
>     Customer getCustomer(@PathParam("id") String id);
> {code}
> JAXRS Server
> {code} 
>         static {
>             SpringBusFactory factory = new SpringBusFactory();
>             Bus bus = 
> factory.createBus("org/jboss/fuse/security/basic/config/ServerConfig.xml");
>             BusFactory.setDefaultBus(bus);
>         }
>           JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
>             // Configure the Interceptor responsible to scan the Classes, 
> Interface in order to detect @RolesAllowed Annotation
>             // and creating a RolesMap
>             SecureAnnotationsInterceptor sai = new 
> SecureAnnotationsInterceptor();
>             sai.setSecuredObject(new CustomerServiceImpl());
>             sf.getInInterceptors().add(sai);
>             sf.setResourceClasses(CustomerServiceImpl.class);
>             sf.setProvider(new ValidationExceptionMapper());
>             sf.setResourceProvider(CustomerServiceImpl.class,
>                     new SingletonResourceProvider(new CustomerServiceImpl()));
>             sf.setAddress("http://localhost:"; + PORT + "/");
> {code}
> Spring
> {code}
> <beans xmlns="http://www.springframework.org/schema/beans";
>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>        xmlns:sec="http://cxf.apache.org/configuration/security";
>        xmlns:http="http://cxf.apache.org/transports/http/configuration";
>        xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration";
>        xsi:schemaLocation="        
> http://cxf.apache.org/configuration/security                  
> http://cxf.apache.org/schemas/configuration/security.xsd        
> http://cxf.apache.org/transports/http/configuration        
> http://cxf.apache.org/schemas/configuration/http-conf.xsd        
> http://cxf.apache.org/transports/http-jetty/configuration        
> http://cxf.apache.org/schemas/configuration/http-jetty.xsd        
> http://www.springframework.org/schema/beans        
> http://www.springframework.org/schema/beans/spring-beans.xsd";>
>     <bean 
> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>     <httpj:engine-factory bus="cxf">
>         <httpj:engine port="${testutil.ports.BasicAuthCxfRSRoleTest}">
>             <httpj:handlers>
>                 <bean 
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>                     <property name="loginService" ref="securityLoginService"/>
>                     <property name="constraintMappings">
>                         <list>
>                             <ref bean="securityConstraintMapping"/>
>                         </list>
>                     </property>
>                 </bean>
>             </httpj:handlers>
>         </httpj:engine>
>     </httpj:engine-factory>
>     <bean id="securityLoginService" 
> class="org.eclipse.jetty.security.HashLoginService">
>         <property name="name" value="myrealm"/>
>         <property name="config"
>                   
> value="src/test/resources/org/jboss/fuse/security/basic/myrealm.props"/>
>     </bean>
>     <bean id="securityConstraint" 
> class="org.eclipse.jetty.util.security.Constraint">
>         <property name="name" value="BASIC"/>
>         <property name="roles" value="user"/>
>         <property name="authenticate" value="true"/>
>     </bean>
>     <bean id="securityConstraintMapping" 
> class="org.eclipse.jetty.security.ConstraintMapping">
>         <property name="constraint" ref="securityConstraint"/>
>         <property name="pathSpec" value="/*"/>
>     </bean>
> </beans>
> {code}
> The test passes successfully if I define the roles property for the Jetty 
> Security Constraint --> <property name="roles" value="user"/> but will fail 
> if I remove it as Jetty will return a 403 error with "!role" message
> So, what I don't understand is that we have to set the roles property for the 
> Jetty Contraint while in fact we would like that the REST @RolesAllowed and 
> SimpleAuthorizingInterceptor
> will check the roles of the user and accept or refuse to access the resource 
> without the help of Jetty
> Questions :
> - Is my config wrong ?
> - Can we configure Jetty + Constraint + ConstraintMap without setting Roles ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to