You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Oliver Wulff <ow...@wowit.ch> on 2020/11/24 22:44:27 UTC
Injected JAX-RS javax.ws.rs.core.SecurityContext is null even
JwtToken validation is successful
Hi there
I've created the following simple JAX-RS implementation:
@Service
@Configuration
public class ApiServiceImpl implements DefaultApi {
@Context
SecurityContext securityContext;
@Override
public string sayHi(String name) {
securityContext.getUserPrincipal()
}
}
Within the method "sayHi", I'd like to access the security context. On the one hand the standard JAX-RS Security context but also the JWTToken which includes claim attributes as well. So, the JWT token validation works fine. It's setup like this:
public class CxfSecurityConfig {
@Autowired
private Bus bus;
@Autowired
private DefaultApi apiService;
@Bean
public JwtAccessTokenValidator jwtAccessTokenValidator() {
return new JwtAccessTokenValidator();
}
@Bean
public OAuthRequestFilter oAuthRequestFilter(JwtAccessTokenValidator jwtTokenValidator) {
final OAuthRequestFilter filter = new OAuthRequestFilter();
filter.setTokenValidator(jwtTokenValidator);
filter.setAudience("urn:myaudience");
return filter;
}
@Bean
public Server rsServer(OAuthRequestFilter filter) {
JAXRSServerFactoryBean endpoint = new JAXRSServerFactoryBean();
endpoint.setBus(bus);
endpoint.setServiceBeans(Arrays.<Object>asList(apiService));
endpoint.setProviders(Arrays.<Object>asList(filter));
Map<String, Object> props = new HashMap<>();
props.put("rs.security.signature.properties", "sts.signature.properties");
endpoint.setProperties(props);
return endpoint.create();
}
}
I have only found the following approach to get security context information:
Message msg = PhaseInterceptorChain.getCurrentMessage();
org.apache.cxf.security.SecurityContext sc = msg.get(org.apache.cxf.security.SecurityContext.class);
System.out.println("SecurityContext.UserPrincipal: " + sc.getUserPrincipal()); // is null
OAuthContext oauthContext = msg.getContent(OAuthContext.class);
System.out.println("OAuthContext.Subject.Login: " + oauthContext.getSubject().getLogin()); //shows my user id
System.out.println("OAuthContext.TokenRequestParts[1]: " + oauthContext.getTokenRequestParts()[1]); //shows the JWT token
The only approach to get the claims of the JWT token is to parse it again like this:
JoseJwtConsumer joseJwtConsumer = new JoseJwtConsumer();
JwtToken t = joseJwtConsumer.getJwtToken(oauthContext.getTokenRequestParts()[1]);
IMHO, this should not be the approach to get this kind of information. What do you recommend?
Thanks
Oli