tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From SKR <k...@cosma-consult.de>
Subject Re: TomEE2 JAXRS Security Context
Date Fri, 16 Jan 2015 10:24:36 GMT
Hi

Sorry for intercepting here ;) but I'd like to take your thread about the
SecureAnnotationsInterceptor.

If I got it right, it should be possible to use @RolesAllowed annotation on
a JAX-RS service method (Not Ejb!), if using CXF's
SecureAnnotationsInterceptor. Is this correct?

I prepared a small service that does not like to run because the
SecureAnnotationsInterceptor is never called.

Application Class:
@javax.ws.rs.ApplicationPath("/test")
@Interceptors(org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor.class)
public class DeviceService extends Application {

	@Override
	public Set<Class&lt;?>> getClasses() {
		Set<Class&lt;?>> s = new HashSet<Class&lt;?>>();
		s.add(MyServiceClass.class);
		return s;
	}
}

Service Class:
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.GET;

@GET
@RolesAllowed("myRole")
public String getTest() {
  return "TEST"
}

I deployed it on tomEE 1.7.1-plus.

In fact everyone can invoke the service. The SecureAnnotationsInterceptor
class gets not even loaded!

I tried to follow the CXF reference on
http://cxf.apache.org/docs/secure-jax-rs-services.html.
Instead of
@Interceptors(org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor.class)
I tried to register the Interceptor in a cxf-servlet.xml file, that I placed
directly in WEB-INF/.

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxrs="http://cxf.apache.org/jaxrs"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
     http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd">

  <bean id="secureBean" class="MyServiceClass"/>
 
  <bean id="authorizationInterceptor"  
           
class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">	   
       <property name="securedObject" ref="secureBean"/>
  </bean>

  <jaxrs:server address="/test">
    <jaxrs:providers>
      <ref bean="authorizationInterceptor" />
    </jaxrs:providers>
  </jaxrs:server>

</beans>

The result is the same. The interceptor class gets not even loaded :(

I tried to follow you advice not losing too much time on it ;) I failed. 
Do you have some suggestions?

Thanks!




--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/TomEE2-JAXRS-Security-Context-tp4672828p4673407.html
Sent from the TomEE Users mailing list archive at Nabble.com.

Mime
View raw message