RE: Handle Bearer authorization
Using javax.ws.rs.core.SecurityContext works.
Best Regards,
J.P.
-Original Message-
From: Andriy Redko
Sent: vrijdag 2 juni 2023 23:11
To: Jean Pierre URKENS ; CXF Dev List
Subject: Re: Handle Bearer authorization
Hi Jean,
Apologies since I am rarely touching this part of the project, and do have
some knowledge gaps there. Anyway, the flow I was sure should work actually
does not [1] apparently. There are 2 security contexts actually:
- javax.ws.rs.core.SecurityContext (or jakarta.ws.rs.core.SecurityContext)
- org.apache.cxf.security.SecurityContext
I was thinking about the latter but due to [1], the injection does not work.
Could you try to use javax.ws.rs.core.SecurityContext instead please to see
what is being injected to you?
Thank you.
[1] https://issues.apache.org/jira/browse/CXF-5803
Best Regards,
Andriy Redko
> I did a test where I:
> - created my own SecurityContext implementation
> - in my authentication filter I construct an instance 'sc' of this
> SecurityContext and put in the message using:
> JAXRSUtils.getCurrentMessage().put(SecurityContext.class, sc);
> I tried two ways to obtain this SecurityContext my service methods:
> 1. using annotations:
> Interface: Response
> getOnderneming(@HeaderParam("X-KMO-OPERATION-ID") UUID
> operationId,@PathParam("kboNr") String kboNr,@Context SecurityContext
> sc);
> Implementation:Response getOnderneming(UUID operationId,
> String kboNr,
> SecurityContext sc){...} 2.without annotations:
> Interface: Response
> getOnderneming(@HeaderParam("X-KMO-OPERATION-ID") UUID
> operationId,@PathParam("kboNr") String kboNr);
> Implementation:Response getOnderneming(UUID operationId,
> String kboNr,
> SecurityContext sc){
> SecurityContext sc =
> JAXRSUtils.getCurrentMessage().get(SecurityContext.class);
> ...
> }Using the annotations (1. above) way
> doesn't work the SecurityContext object 'sc' is null on entering the
> getOnderneming() method.
> Without annotations (2. Above) I do get a valid SecurityContext
> object 'sc'.
> Isn't the 'annotations'-way supposed to work this way?
> Regards,
> J.P. Urkens
> -Original Message-
> From: Jean Pierre URKENS
> Sent: vrijdag 2 juni 2023 10:18
> To: 'Andriy Redko'
> Subject: RE: Handle Bearer authorization
> Hi Andriy,
> As far as I understand the filters JwtAuthenticationFilter and
> AbstractJwtAuthenticationFilter the assumption is that a request is
> received with an 'Authentication' header that contains a signed JWT
> token. The filter provides in methods to:
> - validate the signed JWT token
> - to create a SecurityContext (JwtTokenSecurityContext) from it.
> This isn't the situation I am dealing with. I am receiving a request
> with an 'Authorization' header containing 'Bearer '.
> I've no knowledge about the nature of this access_token, nor do I need
> to since validating this access token is done by sending a request to
> an 'OAuth/OIDC introspection endpoint' passing on this access_token.
> The introspection endpoint replies with a scope object (JWT claims
> object) if the token is valid.
> Now I can deal with this situation and create my own SecurityContext
> (extended from ClaimsSecurityContext). What I don't understand is how
> I get this SecurityContext available in my service method.
> I see that the AbstractJwtAuthenticationFilter (line 56) puts the
> constructed SecurityContext in the Message:
> if (securityContext != null) {
>
> JAXRSUtils.getCurrentMessage().put(SecurityContext.class,
> securityContext);
> }
> Can I simply retrieve this in my service method by calling:
> SecurityContext sc =
> JAXRSUtils.getCurrentMessage().get(SecurityContext.class);
> So no need to add @Context annotations to service methods like e.g.:
> Interface: Response
> getOnderneming(@HeaderParam("X-KMO-OPERATION-ID") UUID
> operationId,@PathParam("kboNr") String kboNr,@Context SecurityContext
> ctx);
> Implementation:Response getOnderneming(UUID operationId, String kboNr,
> SecurityContext sc){...}
> Regards,
> J.P.
> -Original Message-
> From: Andriy Redko
> Sent: vrijdag 2 juni 2023 0:29
> To: Jean Pierre URKENS ; CXF Dev List
>
> Subject: Re: Handle Bearer authorization
> Hi Jean,
> You should be able to get access to the Bearer and claims using
> JwtAuthenticationFilter + @Context SecurityContext The expected type
> of the security context should be ClaimsSecurityContext, with
> collection of claims being available.
> If the JwtAuthenticationFilter does not work for you (for some
> reasons), you could subclass AbstractJwtAuthenticationFilter.
> Hope it helps, thank you.
> Best Regards,
> Andriy Redko
>> Hi Andriy,
>> I am lost in JAXRS JOSE security to figure out how to handle bearer
>> authorization. So what I currently did is:
>> 1. I created
[GitHub] [cxf-fediz] dependabot[bot] opened a new pull request, #177: Bump github/codeql-action from 2.3.5 to 2.3.6
dependabot[bot] opened a new pull request, #177: URL: https://github.com/apache/cxf-fediz/pull/177 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. Commits https://github.com/github/codeql-action/commit/83f0fe6c4988d98a455712a27f0255212bba9bd4";>83f0fe6 Merge pull request https://redirect.github.com/github/codeql-action/issues/1713";>#1713 from github/update-v2.3.6-96f284028 https://github.com/github/codeql-action/commit/5c8f4be0e98de2abecc7af538676cf2384a881fc";>5c8f4be Update changelog for v2.3.6 https://github.com/github/codeql-action/commit/96f284028262d223858647b5680642a84608cc87";>96f2840 Merge pull request https://redirect.github.com/github/codeql-action/issues/1711";>#1711 from github/henrymercer/improve-supported-versions-u... https://github.com/github/codeql-action/commit/89c4c9e65cd3faf5d84dba8f43bb308fae40336d";>89c4c9e Merge pull request https://redirect.github.com/github/codeql-action/issues/1678";>#1678 from github/henrymercer/default-setup-safeguarding https://github.com/github/codeql-action/commit/26f16a5e63c7bebdcf17b2a6d1c7fc1861a0c611";>26f16a5 Rephrase the still supported calculation to make it clearer https://github.com/github/codeql-action/commit/955f8596aed9d71c454c46b251302b150bc1adcb";>955f859 Fix sign error https://github.com/github/codeql-action/commit/e7cff66ce1871fdb3b9cdf054e5550485c0b8d12";>e7cff66 Fix push https://github.com/github/codeql-action/commit/afdba763260a797d16bcce8e498641fefd604731";>afdba76 Wait a week before dropping support for end of life GHES versions https://github.com/github/codeql-action/commit/07e43a22080d8828875556729afa669d200b9515";>07e43a2 Open PR with gh CLI https://github.com/github/codeql-action/commit/9632771630d75f08faa5a3b6f5afc9d44a6a65b0";>9632771 Address review comments Additional commits viewable in https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4";>compare view [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cxf] dkulp merged pull request #1043: Some toString methods to help with debugging
dkulp merged PR #1043: URL: https://github.com/apache/cxf/pull/1043 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Call for Presentations, Community Over Code Asia 2023
You are receiving this message because you are subscribed to one more more developer mailing lists at the Apache Software Foundation. The call for presentations is now open at "https://apachecon.com/acasia2023/cfp.html";, and will be closed by Sunday, Jun 18th, 2023 11:59 PM GMT. The event will be held in Beijing, China, August 18-20, 2023. We are looking for presentations about anything relating to Apache Software Foundation projects, open-source governance, community, and software development. In particular, this year we are building content tracks around the following specific topics/projects: AI / Machine learning API / Microservice Community CloudNative Data Storage & Computing DataOps Data Lake & Data Warehouse OLAP & Data Analysis Performance Engineering Incubator IoT/IIoT Messaging RPC Streaming Workflow / Data Processing Web Server / Tomcat If your proposed presentation falls into one of these categories, please select that topic in the CFP entry form. Or select Others if it’s related to another topic or project area. Looking forward to hearing from you! Willem Jiang, and the Community Over Code planners
[GitHub] [cxf] dkulp merged pull request #1289: CXF-8879: OSGi bundle manifest are broken
dkulp merged PR #1289: URL: https://github.com/apache/cxf/pull/1289 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cxf] dkulp merged pull request #1292: CXF-8879: OSGi bundle manifest are broken (fixing a few missed ones)
dkulp merged PR #1292: URL: https://github.com/apache/cxf/pull/1292 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cxf] dependabot[bot] opened a new pull request, #1293: Bump buildnumber-maven-plugin from 3.1.0 to 3.2.0
dependabot[bot] opened a new pull request, #1293: URL: https://github.com/apache/cxf/pull/1293 Bumps [buildnumber-maven-plugin](https://github.com/mojohaus/buildnumber-maven-plugin) from 3.1.0 to 3.2.0. Release notes Sourced from https://github.com/mojohaus/buildnumber-maven-plugin/releases";>buildnumber-maven-plugin's releases. 3.2.0 Changes This version upgrade to Apache Maven SCM Api 2.x which means removing support of a few scm tools such: CVS, Bazaar, Starteam and Perforce. 🚀 New features and improvements Upgrade to scm 2.0.1, ignore test relying on svn.codehaus.org (https://redirect.github.com/mojohaus/buildnumber-maven-plugin/pull/196";>#196) https://github.com/olamy";>@olamy 📦 Dependency updates Bump extra-enforcer-rules from 1.6.2 to 1.7.0 (https://redirect.github.com/mojohaus/buildnumber-maven-plugin/pull/194";>#194) https://github.com/dependabot";>@dependabot Commits https://github.com/mojohaus/buildnumber-maven-plugin/commit/f05aec4b9db9b52a68ee53e9c4dd4bdc8eb4f827";>f05aec4 [maven-release-plugin] prepare release 3.2.0 https://github.com/mojohaus/buildnumber-maven-plugin/commit/6674082596977e1efffd36d743c8127341f3f9f6";>6674082 bump next version to 3.2.0 because scm api change https://github.com/mojohaus/buildnumber-maven-plugin/commit/eadbf85e5a6ee7d9e135585f33ef8bea7db47630";>eadbf85 Bump extra-enforcer-rules from 1.6.2 to 1.7.0 https://github.com/mojohaus/buildnumber-maven-plugin/commit/d2b2b5e9468bdace92de076ed8996c671ff8af7f";>d2b2b5e Upgrade to sm 2.0.1, ignore test relying on svn.codehaus.org (https://redirect.github.com/mojohaus/buildnumber-maven-plugin/issues/196";>#196) https://github.com/mojohaus/buildnumber-maven-plugin/commit/10c9ef700f281e9021741473e89411e6f17ce4eb";>10c9ef7 [maven-release-plugin] prepare for next development iteration See full diff in https://github.com/mojohaus/buildnumber-maven-plugin/compare/3.1.0...3.2.0";>compare view [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
