[jira] [Commented] (CXF-6888) Behaviour is not what we can expect @RolesAllowed

Fri, 29 Apr 2016 09:05:54 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-6888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15264252#comment-15264252
 ] 

Sergey Beryozkin commented on CXF-6888:
---------------------------------------

You can register JAASAuthenticationFilter instead (as jaxrs:provider) and it 
will report a proper 403. Or keep the interceptor as it also works for JAXWS. 
but register an ExceptionMapper converting the exception to 403

> Behaviour is not what we can expect @RolesAllowed
> -------------------------------------------------
>
>                 Key: CXF-6888
>                 URL: https://issues.apache.org/jira/browse/CXF-6888
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.1.5
>            Reporter: Charles Moulliard
>         Attachments: temp-cxf-rolesallowed-issue.zip
>
>
> I have created a CXF JAX RS Unit test using version CXF 3.1.5 & Jetty 9 where 
> the Annotation @RolesAllowed is used like also Basic HTTP Authentication with 
> the HashLoginModule
> REST Service
> {code}
> @Path("/customerservice/")
> public interface CustomerService {
>     @GET
>     @Path("/customers/{id}/")
>     @RolesAllowed({"user"})
>     Customer getCustomer(@PathParam("id") String id);
> {code}
> JAXRS Server
> {code} 
>         static {
>             SpringBusFactory factory = new SpringBusFactory();
>             Bus bus = 
> factory.createBus("org/jboss/fuse/security/basic/config/ServerConfig.xml");
>             BusFactory.setDefaultBus(bus);
>         }
>           JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
>             // Configure the Interceptor responsible to scan the Classes, 
> Interface in order to detect @RolesAllowed Annotation
>             // and creating a RolesMap
>             SecureAnnotationsInterceptor sai = new 
> SecureAnnotationsInterceptor();
>             sai.setSecuredObject(new CustomerServiceImpl());
>             sf.getInInterceptors().add(sai);
>             sf.setResourceClasses(CustomerServiceImpl.class);
>             sf.setProvider(new ValidationExceptionMapper());
>             sf.setResourceProvider(CustomerServiceImpl.class,
>                     new SingletonResourceProvider(new CustomerServiceImpl()));
>             sf.setAddress("http://localhost:"; + PORT + "/");
> {code}
> Spring
> {code}
> <beans xmlns="http://www.springframework.org/schema/beans";
>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>        xmlns:sec="http://cxf.apache.org/configuration/security";
>        xmlns:http="http://cxf.apache.org/transports/http/configuration";
>        xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration";
>        xsi:schemaLocation="        
> http://cxf.apache.org/configuration/security                  
> http://cxf.apache.org/schemas/configuration/security.xsd        
> http://cxf.apache.org/transports/http/configuration        
> http://cxf.apache.org/schemas/configuration/http-conf.xsd        
> http://cxf.apache.org/transports/http-jetty/configuration        
> http://cxf.apache.org/schemas/configuration/http-jetty.xsd        
> http://www.springframework.org/schema/beans        
> http://www.springframework.org/schema/beans/spring-beans.xsd";>
>     <bean 
> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>     <httpj:engine-factory bus="cxf">
>         <httpj:engine port="${testutil.ports.BasicAuthCxfRSRoleTest}">
>             <httpj:handlers>
>                 <bean 
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>                     <property name="loginService" ref="securityLoginService"/>
>                     <property name="constraintMappings">
>                         <list>
>                             <ref bean="securityConstraintMapping"/>
>                         </list>
>                     </property>
>                 </bean>
>             </httpj:handlers>
>         </httpj:engine>
>     </httpj:engine-factory>
>     <bean id="securityLoginService" 
> class="org.eclipse.jetty.security.HashLoginService">
>         <property name="name" value="myrealm"/>
>         <property name="config"
>                   
> value="src/test/resources/org/jboss/fuse/security/basic/myrealm.props"/>
>     </bean>
>     <bean id="securityConstraint" 
> class="org.eclipse.jetty.util.security.Constraint">
>         <property name="name" value="BASIC"/>
>         <property name="roles" value="user"/>
>         <property name="authenticate" value="true"/>
>     </bean>
>     <bean id="securityConstraintMapping" 
> class="org.eclipse.jetty.security.ConstraintMapping">
>         <property name="constraint" ref="securityConstraint"/>
>         <property name="pathSpec" value="/*"/>
>     </bean>
> </beans>
> {code}
> The test passes successfully if I define the roles property for the Jetty 
> Security Constraint --> <property name="roles" value="user"/> but will fail 
> if I remove it as Jetty will return a 403 error with "!role" message
> So, what I don't understand is that we have to set the roles property for the 
> Jetty Contraint while in fact we would like that the REST @RolesAllowed and 
> SimpleAuthorizingInterceptor
> will check the roles of the user and accept or refuse to access the resource 
> without the help of Jetty
> Questions :
> - Is my config wrong ?
> - Can we configure Jetty + Constraint + ConstraintMap without setting Roles ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to