You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Oliver Wulff <ow...@wowit.ch> on 2020/11/24 22:44:27 UTC

Injected JAX-RS javax.ws.rs.core.SecurityContext is null even JwtToken validation is successful

Hi there

I've created the following simple JAX-RS implementation:

@Service
@Configuration
public class ApiServiceImpl implements DefaultApi {

    @Context
    SecurityContext securityContext;

   @Override
   public string sayHi(String name) {
       securityContext.getUserPrincipal()
   }
}


Within the method "sayHi",  I'd like to access the security context. On the one hand the standard JAX-RS Security context but also the JWTToken which includes claim attributes as well. So, the JWT token validation works fine. It's setup like this:

public class CxfSecurityConfig {

    @Autowired
    private Bus bus;

    @Autowired
    private DefaultApi apiService;

    @Bean
    public JwtAccessTokenValidator jwtAccessTokenValidator() {
        return new JwtAccessTokenValidator();
    }

    @Bean
    public OAuthRequestFilter oAuthRequestFilter(JwtAccessTokenValidator jwtTokenValidator) {
        final OAuthRequestFilter filter =  new OAuthRequestFilter();
        filter.setTokenValidator(jwtTokenValidator);
        filter.setAudience("urn:myaudience");
        return filter;
    }

   @Bean
    public Server rsServer(OAuthRequestFilter filter) {
        JAXRSServerFactoryBean endpoint = new JAXRSServerFactoryBean();
        endpoint.setBus(bus);

        endpoint.setServiceBeans(Arrays.<Object>asList(apiService));
        endpoint.setProviders(Arrays.<Object>asList(filter));

        Map<String, Object> props = new HashMap<>();
        props.put("rs.security.signature.properties", "sts.signature.properties");
        endpoint.setProperties(props);
        return endpoint.create();
    }
}

I have only found the following approach to get security context information:

        Message msg = PhaseInterceptorChain.getCurrentMessage();
        org.apache.cxf.security.SecurityContext sc = msg.get(org.apache.cxf.security.SecurityContext.class);

        System.out.println("SecurityContext.UserPrincipal: " + sc.getUserPrincipal());  // is null
        OAuthContext oauthContext = msg.getContent(OAuthContext.class);
        System.out.println("OAuthContext.Subject.Login: " + oauthContext.getSubject().getLogin());   //shows my user id
        System.out.println("OAuthContext.TokenRequestParts[1]: " + oauthContext.getTokenRequestParts()[1]);  //shows the JWT token

The only approach to get the claims of the JWT token is to parse it again like this:
        JoseJwtConsumer joseJwtConsumer = new JoseJwtConsumer();
        JwtToken t = joseJwtConsumer.getJwtToken(oauthContext.getTokenRequestParts()[1]);


IMHO, this should not be the approach to get this kind of information. What do you recommend?

Thanks
Oli