You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Juan José Pérez Consuegra <jj...@gmail.com> on 2012/08/17 21:45:09 UTC
Restful service with HTTPs and authorization
Hello,
I'm studing the examples given with cxf, exactly security an https. In my
proyect I need a standalone server publishing the server with no war
package. The https example seems to be like this, but security one uses a
war package. Mi question is how to mix both.
I understand that I can use https proyect using de security annotations,
but I have the next dubt, how I can stablish the filter and filter-map of
the web.xml as the one used in the security example?
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Does anyone know about a complete example to guide me????
thanks a lot
Re: Restful service with HTTPs and authorization
Posted by Sergey Beryozkin <sb...@gmail.com>.
You can probably copy the code from the run() method at
http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/AbstractSpringServer.java
replace 'warPath' with the location of the war application (this is not
the actual war archive file, but the directory ready to be packaged as war).
I'm presuming that the requirement is to avoid using an actual 'war'
archive.
Cheers, Sergey
On 18/08/12 15:58, Glen Mazza wrote:
> I'm not sure you can do that, or even if such security functionality
> were provided in the embedded server, whether it would be something you
> should rely on in production use. Once you get to SSL, roles,
> users/passwords, etc., formally declaring your rest endpoints in a WAR
> file and deploying it to a standalone servlet container like Tomcat or
> JEE app server is usually best. Let the container handle the security[1].
>
> But perhaps someone else can provide you an answer to what you're trying
> to do.
>
> Glen
>
> [1] http://www.jroller.com/gmazza/entry/ssl_for_web_services
>
> On 08/18/2012 07:30 AM, Juan José Pérez Consuegra wrote:
>> That is exactly mi question, if I want to use authentication I must add
>> annotations, users, password and roles in serverconfig.xml, but I don`t
>> know how to include filters y mi server class.
>>
>> In rs security sample I have in web.xml:
>>
>> <filter>
>> <filter-name>springSecurityFilterChain</filter-name>
>>
>> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
>>
>> </filter>
>>
>> <filter-mapping>
>> <filter-name>springSecurityFilterChain</filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>>
>> and in beans.xml
>>
>> <security:global-method-security secured-annotations="enabled">
>> <security:protect-pointcut
>> expression="execution(*
>> demo.jaxrs.service.CustomerService.getCustomer(*))"
>> access="ROLE_CUSTOMER, ROLE_ADMIN"/>
>> <security:protect-pointcut
>> expression="execution(*
>> demo.jaxrs.service.CustomerService.addCustomer(*))"
>> access="ROLE_ADMIN"/>
>> <security:protect-pointcut
>> expression="execution(*
>> demo.jaxrs.service.CustomerService.updateCustomer(Long,demo.jaxrs.service.Customer))"
>>
>>
>> access="ROLE_ADMIN"/>
>> <security:protect-pointcut
>> expression="execution(*
>> demo.jaxrs.service.CustomerService.deleteCustomer(*))"
>> access="ROLE_ADMIN"/>
>> <security:protect-pointcut
>> expression="execution(*
>> demo.jaxrs.service.CustomerService.getOrder(*))"
>> access="ROLE_CUSTOMER, ROLE_ADMIN"/>
>> </security:global-method-security>
>>
>> <security:http auto-config='true'>
>> <security:http-basic />
>> </security:http>
>>
>> The problem is with the first one, where can I put filter information in
>> the server class of the https example:
>>
>> public class Server {
>>
>> static {
>> // set the configuration file
>> SpringBusFactory factory = new SpringBusFactory();
>> Bus bus = factory.createBus("ServerConfig.xml");
>> BusFactory.setDefaultBus(bus);
>> }
>>
>> protected Server() throws Exception {
>> JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
>> sf.setResourceClasses(CustomerServiceImpl.class);
>> sf.setResourceProvider(CustomerServiceImpl.class,
>> new SingletonResourceProvider(new CustomerServiceImpl()));
>> sf.setAddress("https://localhost:9000/");
>>
>> sf.create();
>> }
>>
>> public static void main(String args[]) throws Exception {
>> new Server();
>> System.out.println("Server ready...");
>>
>> Thread.sleep(5 * 60 * 1000);
>> System.out.println("Server exiting");
>> System.exit(0);
>> }
>> }
>>
>> thanks for your quick answer.
>>
>> Juanjo
>>
>> 2012/8/17 Glen Mazza <gm...@talend.com>
>>
>>> The JAX-RS HTTPS sample doesn't use a WAR:
>>> http://svn.apache.org/viewvc/**cxf/trunk/distribution/src/**
>>> main/release/samples/jax_rs/**basic_https/<http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/>
>>>
>>>
>>> HTH,
>>> Glen
>>>
>>>
>>> On 08/17/2012 03:45 PM, Juan José Pérez Consuegra wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm studing the examples given with cxf, exactly security an https.
>>>> In my
>>>> proyect I need a standalone server publishing the server with no war
>>>> package. The https example seems to be like this, but security one
>>>> uses a
>>>> war package. Mi question is how to mix both.
>>>>
>>>> I understand that I can use https proyect using de security
>>>> annotations,
>>>> but I have the next dubt, how I can stablish the filter and
>>>> filter-map of
>>>> the web.xml as the one used in the security example?
>>>>
>>>>
>>>> <filter>
>>>> <filter-name>**springSecurityFilterChain</**filter-name>
>>>>
>>>> <filter-class>org.**springframework.web.filter.**
>>>> DelegatingFilterProxy</filter-**class>
>>>> </filter>
>>>>
>>>> <filter-mapping>
>>>> <filter-name>**springSecurityFilterChain</**filter-name>
>>>> <url-pattern>/*</url-pattern>
>>>> </filter-mapping>
>>>>
>>>> Does anyone know about a complete example to guide me????
>>>>
>>>> thanks a lot
>>>>
>>>>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: Restful service with HTTPs and authorization
Posted by Glen Mazza <gm...@talend.com>.
I'm not sure you can do that, or even if such security functionality
were provided in the embedded server, whether it would be something you
should rely on in production use. Once you get to SSL, roles,
users/passwords, etc., formally declaring your rest endpoints in a WAR
file and deploying it to a standalone servlet container like Tomcat or
JEE app server is usually best. Let the container handle the security[1].
But perhaps someone else can provide you an answer to what you're trying
to do.
Glen
[1] http://www.jroller.com/gmazza/entry/ssl_for_web_services
On 08/18/2012 07:30 AM, Juan José Pérez Consuegra wrote:
> That is exactly mi question, if I want to use authentication I must add
> annotations, users, password and roles in serverconfig.xml, but I don`t
> know how to include filters y mi server class.
>
> In rs security sample I have in web.xml:
>
> <filter>
> <filter-name>springSecurityFilterChain</filter-name>
>
> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
> </filter>
>
> <filter-mapping>
> <filter-name>springSecurityFilterChain</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> and in beans.xml
>
> <security:global-method-security secured-annotations="enabled">
> <security:protect-pointcut
> expression="execution(*
> demo.jaxrs.service.CustomerService.getCustomer(*))"
> access="ROLE_CUSTOMER, ROLE_ADMIN"/>
> <security:protect-pointcut
> expression="execution(*
> demo.jaxrs.service.CustomerService.addCustomer(*))"
> access="ROLE_ADMIN"/>
> <security:protect-pointcut
> expression="execution(*
> demo.jaxrs.service.CustomerService.updateCustomer(Long,demo.jaxrs.service.Customer))"
>
> access="ROLE_ADMIN"/>
> <security:protect-pointcut
> expression="execution(*
> demo.jaxrs.service.CustomerService.deleteCustomer(*))"
> access="ROLE_ADMIN"/>
> <security:protect-pointcut
> expression="execution(*
> demo.jaxrs.service.CustomerService.getOrder(*))"
> access="ROLE_CUSTOMER, ROLE_ADMIN"/>
> </security:global-method-security>
>
> <security:http auto-config='true'>
> <security:http-basic />
> </security:http>
>
> The problem is with the first one, where can I put filter information in
> the server class of the https example:
>
> public class Server {
>
> static {
> // set the configuration file
> SpringBusFactory factory = new SpringBusFactory();
> Bus bus = factory.createBus("ServerConfig.xml");
> BusFactory.setDefaultBus(bus);
> }
>
> protected Server() throws Exception {
> JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
> sf.setResourceClasses(CustomerServiceImpl.class);
> sf.setResourceProvider(CustomerServiceImpl.class,
> new SingletonResourceProvider(new CustomerServiceImpl()));
> sf.setAddress("https://localhost:9000/");
>
> sf.create();
> }
>
> public static void main(String args[]) throws Exception {
> new Server();
> System.out.println("Server ready...");
>
> Thread.sleep(5 * 60 * 1000);
> System.out.println("Server exiting");
> System.exit(0);
> }
> }
>
> thanks for your quick answer.
>
> Juanjo
>
> 2012/8/17 Glen Mazza <gm...@talend.com>
>
>> The JAX-RS HTTPS sample doesn't use a WAR:
>> http://svn.apache.org/viewvc/**cxf/trunk/distribution/src/**
>> main/release/samples/jax_rs/**basic_https/<http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/>
>>
>> HTH,
>> Glen
>>
>>
>> On 08/17/2012 03:45 PM, Juan José Pérez Consuegra wrote:
>>
>>> Hello,
>>>
>>> I'm studing the examples given with cxf, exactly security an https. In my
>>> proyect I need a standalone server publishing the server with no war
>>> package. The https example seems to be like this, but security one uses a
>>> war package. Mi question is how to mix both.
>>>
>>> I understand that I can use https proyect using de security annotations,
>>> but I have the next dubt, how I can stablish the filter and filter-map of
>>> the web.xml as the one used in the security example?
>>>
>>>
>>> <filter>
>>> <filter-name>**springSecurityFilterChain</**filter-name>
>>>
>>> <filter-class>org.**springframework.web.filter.**
>>> DelegatingFilterProxy</filter-**class>
>>> </filter>
>>>
>>> <filter-mapping>
>>> <filter-name>**springSecurityFilterChain</**filter-name>
>>> <url-pattern>/*</url-pattern>
>>> </filter-mapping>
>>>
>>> Does anyone know about a complete example to guide me????
>>>
>>> thanks a lot
>>>
>>>
Re: Restful service with HTTPs and authorization
Posted by Juan José Pérez Consuegra <jj...@gmail.com>.
That is exactly mi question, if I want to use authentication I must add
annotations, users, password and roles in serverconfig.xml, but I don`t
know how to include filters y mi server class.
In rs security sample I have in web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
and in beans.xml
<security:global-method-security secured-annotations="enabled">
<security:protect-pointcut
expression="execution(*
demo.jaxrs.service.CustomerService.getCustomer(*))"
access="ROLE_CUSTOMER, ROLE_ADMIN"/>
<security:protect-pointcut
expression="execution(*
demo.jaxrs.service.CustomerService.addCustomer(*))"
access="ROLE_ADMIN"/>
<security:protect-pointcut
expression="execution(*
demo.jaxrs.service.CustomerService.updateCustomer(Long,demo.jaxrs.service.Customer))"
access="ROLE_ADMIN"/>
<security:protect-pointcut
expression="execution(*
demo.jaxrs.service.CustomerService.deleteCustomer(*))"
access="ROLE_ADMIN"/>
<security:protect-pointcut
expression="execution(*
demo.jaxrs.service.CustomerService.getOrder(*))"
access="ROLE_CUSTOMER, ROLE_ADMIN"/>
</security:global-method-security>
<security:http auto-config='true'>
<security:http-basic />
</security:http>
The problem is with the first one, where can I put filter information in
the server class of the https example:
public class Server {
static {
// set the configuration file
SpringBusFactory factory = new SpringBusFactory();
Bus bus = factory.createBus("ServerConfig.xml");
BusFactory.setDefaultBus(bus);
}
protected Server() throws Exception {
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
sf.setResourceClasses(CustomerServiceImpl.class);
sf.setResourceProvider(CustomerServiceImpl.class,
new SingletonResourceProvider(new CustomerServiceImpl()));
sf.setAddress("https://localhost:9000/");
sf.create();
}
public static void main(String args[]) throws Exception {
new Server();
System.out.println("Server ready...");
Thread.sleep(5 * 60 * 1000);
System.out.println("Server exiting");
System.exit(0);
}
}
thanks for your quick answer.
Juanjo
2012/8/17 Glen Mazza <gm...@talend.com>
> The JAX-RS HTTPS sample doesn't use a WAR:
> http://svn.apache.org/viewvc/**cxf/trunk/distribution/src/**
> main/release/samples/jax_rs/**basic_https/<http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/>
>
> HTH,
> Glen
>
>
> On 08/17/2012 03:45 PM, Juan José Pérez Consuegra wrote:
>
>> Hello,
>>
>> I'm studing the examples given with cxf, exactly security an https. In my
>> proyect I need a standalone server publishing the server with no war
>> package. The https example seems to be like this, but security one uses a
>> war package. Mi question is how to mix both.
>>
>> I understand that I can use https proyect using de security annotations,
>> but I have the next dubt, how I can stablish the filter and filter-map of
>> the web.xml as the one used in the security example?
>>
>>
>> <filter>
>> <filter-name>**springSecurityFilterChain</**filter-name>
>>
>> <filter-class>org.**springframework.web.filter.**
>> DelegatingFilterProxy</filter-**class>
>> </filter>
>>
>> <filter-mapping>
>> <filter-name>**springSecurityFilterChain</**filter-name>
>> <url-pattern>/*</url-pattern>
>> </filter-mapping>
>>
>> Does anyone know about a complete example to guide me????
>>
>> thanks a lot
>>
>>
>
Re: Restful service with HTTPs and authorization
Posted by Glen Mazza <gm...@talend.com>.
The JAX-RS HTTPS sample doesn't use a WAR:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/
HTH,
Glen
On 08/17/2012 03:45 PM, Juan José Pérez Consuegra wrote:
> Hello,
>
> I'm studing the examples given with cxf, exactly security an https. In my
> proyect I need a standalone server publishing the server with no war
> package. The https example seems to be like this, but security one uses a
> war package. Mi question is how to mix both.
>
> I understand that I can use https proyect using de security annotations,
> but I have the next dubt, how I can stablish the filter and filter-map of
> the web.xml as the one used in the security example?
>
>
> <filter>
> <filter-name>springSecurityFilterChain</filter-name>
>
> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
> </filter>
>
> <filter-mapping>
> <filter-name>springSecurityFilterChain</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> Does anyone know about a complete example to guide me????
>
> thanks a lot
>