How to use JUnit to test CXF JAX-RS methods protected by Spring-Security

[Jim Talbut <jt...@spudsoft.co.uk>]

Hi,

I want to use Spring-Security to protect a bunch of JAX-RS endpoints in 
a couple of different (independent) applications.
One of the applications will start off using basic auth and will 
probably never progress beyond that, so I could use CXF interceptors to 
handle the auth.
The other application will use CAS, and I'm not aware of any CXF 
interceptors that handle that.
Hence the desire to use Spring-Security.

My problem is that I want to be able to have maven run integration tests 
that validate the method level security on each build (and preferably in 
the same test cases that test other aspects of the REST interface).

Previously I have just carried out my testing by having CXF construct a 
localhost endpoint, but this means that spring knows nothing about the 
network side of the tests and thus spring-security isn't used.

Is it possible to introduce the Spring-Security filters into the jetty 
instance created by CXF?
If not, is it possible to have a Spring JUnit testcase created as a 
(real, not mock) servlet container so that CXF can use a relative address?
Another thought was to find a way to have the CXF WebClient use a Spring 
mock endpoint, but I have even less idea about how to do that.

Any ideas?

Thanks

Jim

Re: How to use JUnit to test CXF JAX-RS methods protected by Spring-Security

[Sergey Beryozkin <sb...@gmail.com>]

Hi
On 14/10/13 13:17, Winnebeck, Jason wrote:
> On 14/10/2013 01:17, Jim Talbut wrote:
>> I /think/ this is breaking because the proxy for the PreAuth is meaning that the @Context annotation isn't being detected by CXF.
>> Can that be fixed?
>
> I don't have experience CXF + Spring Security directly, but I am using Spring and it had to create a proxy for a CXF service, and all of my @Context fields stopped being injected. This makes sense because CXF inspects the generated proxy class instead of the proxy's delegate. For me the solution was to convert @Context fields to @Context setter methods like @Context setUriInfo(UriInfo uriInfo), and these methods will be present on the proxy so CXF can call them. So, this might be the same problem you are running into.

thanks for that, yes, the setters will work with Spring proxies.

Cheers, Sergey

>
> Jason
>
> ----------------------------------------------------------------------
> This email message and any attachments are for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.
>

RE: How to use JUnit to test CXF JAX-RS methods protected by Spring-Security

["Winnebeck, Jason" <Ja...@windstream.com>]

On 14/10/2013 01:17, Jim Talbut wrote:
> I /think/ this is breaking because the proxy for the PreAuth is meaning that the @Context annotation isn't being detected by CXF.
> Can that be fixed?

I don't have experience CXF + Spring Security directly, but I am using Spring and it had to create a proxy for a CXF service, and all of my @Context fields stopped being injected. This makes sense because CXF inspects the generated proxy class instead of the proxy's delegate. For me the solution was to convert @Context fields to @Context setter methods like @Context setUriInfo(UriInfo uriInfo), and these methods will be present on the proxy so CXF can call them. So, this might be the same problem you are running into.

Jason

----------------------------------------------------------------------
This email message and any attachments are for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.

Re: How to use JUnit to test CXF JAX-RS methods protected by Spring-Security

[Jim Talbut <jt...@spudsoft.co.uk>]

On 12/10/2013 17:29, Jim Talbut wrote:
> Hi,
>
> I want to use Spring-Security to protect a bunch of JAX-RS endpoints 
> in a couple of different (independent) applications.
> One of the applications will start off using basic auth and will 
> probably never progress beyond that, so I could use CXF interceptors 
> to handle the auth.
> The other application will use CAS, and I'm not aware of any CXF 
> interceptors that handle that.
> Hence the desire to use Spring-Security.
>
> My problem is that I want to be able to have maven run integration 
> tests that validate the method level security on each build (and 
> preferably in the same test cases that test other aspects of the REST 
> interface).
>
> Previously I have just carried out my testing by having CXF construct 
> a localhost endpoint, but this means that spring knows nothing about 
> the network side of the tests and thus spring-security isn't used.
>
> Is it possible to introduce the Spring-Security filters into the jetty 
> instance created by CXF?
> If not, is it possible to have a Spring JUnit testcase created as a 
> (real, not mock) servlet container so that CXF can use a relative 
> address?
> Another thought was to find a way to have the CXF WebClient use a 
> Spring mock endpoint, but I have even less idea about how to do that.
>
> Any ideas?
>
> Thanks
>
> Jim
>

I've written a Jetty Handler that manually invokes the Spring Security 
filter chain (passing a data collecting filter as the next filter in the 
chain) and it sort-of works.
The big outstanding problem is that the CXF context breaks if I apply 
the @PreAuthorize annotation directly to the JAX-RS method:
     @GET
     @Produces( { "application/json", "text/xml" } )
     @PreAuthorize("hasRole('ROLE_ADMIN')")
     public UsersElement getAll() {

I /think/ this is breaking because the proxy for the PreAuth is meaning 
that the @Context annotation isn't being detected by CXF.
Can that be fixed?

Jim