You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jostein Gogstad (JIRA)" <ji...@apache.org> on 2015/03/24 16:37:53 UTC
[jira] [Updated] (CXF-6317) Authorization not possible with
multiple service beans
[ https://issues.apache.org/jira/browse/CXF-6317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jostein Gogstad updated CXF-6317:
---------------------------------
Description:
Given a jaxrs:server with more than one serviceBean it is not possible to secure them both.
Take the following configuration (it's in blueprint, but it shouldn't matter):
{code:xml}
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
http://cxf.apache.org/blueprint/jaxrs http://cxf.apache.org/schemas/blueprint/jaxrs.xsd">
<jaxrs:server id="myservice" address="/service">
<jaxrs:inInterceptors>
<ref component-id="part1AuthorizationInterceptor"/>
<ref component-id="part2AuthorizationInterceptor"/>
</jaxrs:inInterceptors>
<jaxrs:serviceBeans>
<ref component-id="part1WebService"/>
<ref component-id="part2WebService"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref component-id="authenticationFilter"/>
</jaxrs:providers>
</jaxrs:server>
<bean id="part1WebService" class="com.example.Part1WebService"/>
<bean id="part2WebService" class="com.example.Part2WebService"/>
<bean id="part1AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="part1WebService"/>
</bean>
<bean id="part2AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="part2WebService"/>
</bean>
</blueprint>
{code}
Since {{org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor}} only secures one object, we need two instances, one for each service bean.
If you walk up {{SecureAnnotationsInterceptor}} constructor chain, you'll end up in [org.apache.cxf.phase.AbstractPhaseInterceptor|https://github.com/apache/cxf/blob/cxf-2.7.15/api/src/main/java/org/apache/cxf/phase/AbstractPhaseInterceptor.java#L89-L91] (github link) where the interceptor's {{id}} is set to {{getClass().getName()}}. So now we have two interceptors with the same id. When the interceptor chain is built in [org.apache.cxf.phase.PhaseInterceptorChain|https://github.com/apache/cxf/blob/cxf-2.7.15/api/src/main/java/org/apache/cxf/phase/PhaseInterceptorChain.java#L589-L596] the second interceptor is ignored since it has the same id as the first one.
was:
Given a jaxrs:server with more than one serviceBean it is not possible to secure them both.
Take the following configuration (it's in blueprint, but it shouldn't matter):
{code:xml}
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
http://cxf.apache.org/blueprint/jaxrs http://cxf.apache.org/schemas/blueprint/jaxrs.xsd">
<jaxrs:server id="myservice" address="/service">
<jaxrs:inInterceptors>
<ref component-id="part1AuthorizationInterceptor"/>
<ref component-id="part2AuthorizationInterceptor"/>
</jaxrs:inInterceptors>
<jaxrs:serviceBeans>
<ref component-id="part1WebService"/>
<ref component-id="part2WebService"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref component-id="authenticationFilter"/>
</jaxrs:providers>
</jaxrs:server>
<bean id="part1WebService" class="com.example.Part1WebService"/>
<bean id="part2WebService" class="com.example.Part2WebService"/>
<bean id="part1AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="part1WebService"/>
</bean>
<bean id="part2AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="part2WebService"/>
</bean>
</blueprint>
{code}
Since {{org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor}} only secures one object, we need two instances, one for each service bean.
If you walk up {{SecureAnnotationsInterceptor}} constructor chain, you'll end up in [org.apache.cxf.phase.AbstractPhaseInterceptor|https://github.com/apache/cxf/blob/cxf-2.7.15/api/src/main/java/org/apache/cxf/phase/AbstractPhaseInterceptor.java#L89-L91] where the interceptor's {{id}} is set to {{getClass().getName()}}. So now we have two interceptors with the same id. When the interceptor chain is built in [org.apache.cxf.phase.PhaseInterceptorChain|https://github.com/apache/cxf/blob/cxf-2.7.15/api/src/main/java/org/apache/cxf/phase/PhaseInterceptorChain.java#L589-L596] the second interceptor is ignored since it has the same id as the first one.
> Authorization not possible with multiple service beans
> ------------------------------------------------------
>
> Key: CXF-6317
> URL: https://issues.apache.org/jira/browse/CXF-6317
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Reporter: Jostein Gogstad
>
> Given a jaxrs:server with more than one serviceBean it is not possible to secure them both.
> Take the following configuration (it's in blueprint, but it shouldn't matter):
> {code:xml}
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
> xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
> http://cxf.apache.org/blueprint/jaxrs http://cxf.apache.org/schemas/blueprint/jaxrs.xsd">
> <jaxrs:server id="myservice" address="/service">
> <jaxrs:inInterceptors>
> <ref component-id="part1AuthorizationInterceptor"/>
> <ref component-id="part2AuthorizationInterceptor"/>
> </jaxrs:inInterceptors>
> <jaxrs:serviceBeans>
> <ref component-id="part1WebService"/>
> <ref component-id="part2WebService"/>
> </jaxrs:serviceBeans>
> <jaxrs:providers>
> <ref component-id="authenticationFilter"/>
> </jaxrs:providers>
> </jaxrs:server>
> <bean id="part1WebService" class="com.example.Part1WebService"/>
> <bean id="part2WebService" class="com.example.Part2WebService"/>
>
> <bean id="part1AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
> <property name="securedObject" ref="part1WebService"/>
> </bean>
> <bean id="part2AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
> <property name="securedObject" ref="part2WebService"/>
> </bean>
> </blueprint>
> {code}
> Since {{org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor}} only secures one object, we need two instances, one for each service bean.
> If you walk up {{SecureAnnotationsInterceptor}} constructor chain, you'll end up in [org.apache.cxf.phase.AbstractPhaseInterceptor|https://github.com/apache/cxf/blob/cxf-2.7.15/api/src/main/java/org/apache/cxf/phase/AbstractPhaseInterceptor.java#L89-L91] (github link) where the interceptor's {{id}} is set to {{getClass().getName()}}. So now we have two interceptors with the same id. When the interceptor chain is built in [org.apache.cxf.phase.PhaseInterceptorChain|https://github.com/apache/cxf/blob/cxf-2.7.15/api/src/main/java/org/apache/cxf/phase/PhaseInterceptorChain.java#L589-L596] the second interceptor is ignored since it has the same id as the first one.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)