tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Soto <asot...@gmail.com>
Subject Re: TomEE2 JAXRS Security Context
Date Wed, 12 Nov 2014 08:57:11 GMT
Hi,

Yes that example works but if I do something like

@Path("sc")
    public static class Res {
        @Context
        private SecurityContext sc;

        @GET
        @RolesAllowed("therole")
        public boolean f() {
            return sc.isUserInRole("therole");
        }
    }

Note that in theory when the role is another the f() method should not be
executed, but the reality is that is executed as well. So it seems that
with a custom security context you cannot relay on declarative mode using
annotations.

2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com>:

> Hi
>
> what's the difference with
>
> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c
> ?
>
>
> Romain Manni-Bucau
> @rmannibucau
> http://www.tomitribe.com
> http://rmannibucau.wordpress.com
> https://github.com/rmannibucau
>
>
> 2014-11-11 15:56 GMT+01:00 Alex Soto <asotobu@gmail.com>:
> > Hi,
> >
> > I am developing an application with JAXRS 2.0, and for this reason
> > currently I am using TomEE2. I need to implement my own SecurityContext
> > based on JWT. I need to implement on my own because currently I cannot
> rely
> > on any CXF class because I don't know the final application server yet.
> But
> > anyway, the problem is that I don't know but it just don't works. Let me
> > post a simple example.
> >
> > @Provider
> > public class JWTRequestFilter implements ContainerRequestFilter {
> >
> > @Override
> > public void filter(ContainerRequestContext request) throws IOException {
> >  String token = request.getHeaderString("x-access-token");
> >  try {
> > String username = getUsernameFromToken(token);
> > final User user = getUserByName(username);
> >  request.setSecurityContext(new SecurityContext() {
> >  @Override
> > public boolean isUserInRole(String role) {
> > return user.isUserInRole(role);
> > }
> >  @Override
> > public boolean isSecure() {
> > return false;
> > }
> >  @Override
> > public Principal getUserPrincipal() {
> > return user;
> > }
> >  @Override
> > public String getAuthenticationScheme() {
> > return SecurityContext.BASIC_AUTH;
> > }
> > });
> >  } catch (ParseException | JOSEException e) {
> > e.printStackTrace();
> > }
> >  }
> >  }
> >
> > And the endpoint:
> >
> > @Path("/book")
> > @PermitAll
> > public class BookResource {
> >
> > @GET
> > @Produces(MediaType.TEXT_PLAIN)
> > @RolesAllowed("admin")
> > public String book() {
> >  return "book";
> >  }
> >  @GET
> > @Path("article")
> > @Produces(MediaType.TEXT_PLAIN)
> > @RolesAllowed("superadmin")
> > public String article() {
> >  return "article";
> >  }
> > }
> >
> > I have added two debug breakpoints, the firstone just before registering
> > the new SecurityContext, and the second one inside SecurityContext in
> > method isUserInRole.
> >
> > The problem is that the first breakpoint is executed but not the second
> > one, so the SecurityContext I have implemented is not called and of
> course
> > the endpoints are accessible for any user.
> >
> > What am I missing?
> >
> > --
> > +----------------------------------------------------------+
> >   Alex Soto Bueno
> >   www.lordofthejars.com
> > +----------------------------------------------------------+
>



-- 
+----------------------------------------------------------+
  Alex Soto Bueno - Computer Engineer
  www.lordofthejars.com
+----------------------------------------------------------+

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message