You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Jari Fredriksson <ja...@iki.fi> on 2015/03/20 17:10:32 UTC
Trouble with CXF jaxrs Basic auth (on Liferay/Tomcat platform)
I have created a RESTful service, and it work OK w/o authentication.
Trying to setup basic auth using Spring Security 3.2.6 on top of that.
The problem is that when when I have @Secured the services, the system
always tells me that "Forbidden".
For example this service:
@Path("/1.0/")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public interface WebService
{
/**
* Can be used to test the connection and service.
*
* @return Response with message: pong
*/
@GET
@Path("/ping")
@Secured({"ROLE_TMR", "ROLE_ADMIN"})
public Response ping();
will return Forbidden always, and the browser does not request any
credentials. It thing something is blocking the basic auth in this setup.
Setup:
Liferay 6.2 on Tomcat 7.2
The security is configured in beans.xml like this:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxrs="http://cxf.apache.org/jaxrs"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml"/>
<import resource="classpath:META-INF/cxf/cxf-servlet.xml"/>
<jaxrs:server id="webservice" address="/">
<jaxrs:serviceBeans>
<ref bean="webservice10"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<bean class="fi.dise.ws.SecurityExceptionMapper"/>
<bean
class="com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider"/>
</jaxrs:providers>
</jaxrs:server>
<bean id="webservice10" class="fi.dise.ws.WebServiceImpl" />
<!--
<bean
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
id="passwordEncoder"/>
-->
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<security:http-basic/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<!-- it is possible to md5 encode these passwords, or use a
SQL backed or a custom bean for this. -->
<!-- <security:password-encoder ref="passwordEncoder"/> -->
<security:user-service>
<security:user name="tmr" password="xxxx"
authorities="ROLE_TMR"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
Any ideas? The config should be OK, but does not work when the security
is uncommented like this. Could Liferay or Tomcat somehow cause this?
--
jarif.bit
Re: Trouble with CXF jaxrs Basic auth (on Liferay/Tomcat platform)
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
It appears OK, the actual configuration. I think the problem is Spring
Security related.
The actual authentication is OK, it is asserting the the authenticated
user is one of the roles does not work, may be you have an admin user
in which case it would explain why you have 403 (the configuration below
does not assign an admin role to users).
I've no other ideas...
Cheers, Sergey
On 20/03/15 16:10, Jari Fredriksson wrote:
>
> I have created a RESTful service, and it work OK w/o authentication.
> Trying to setup basic auth using Spring Security 3.2.6 on top of that.
>
> The problem is that when when I have @Secured the services, the system
> always tells me that "Forbidden".
>
> For example this service:
>
> @Path("/1.0/")
> @Consumes(MediaType.APPLICATION_JSON)
> @Produces(MediaType.APPLICATION_JSON)
> public interface WebService
> {
> /**
> * Can be used to test the connection and service.
> *
> * @return Response with message: pong
> */
> @GET
> @Path("/ping")
> @Secured({"ROLE_TMR", "ROLE_ADMIN"})
> public Response ping();
>
> will return Forbidden always, and the browser does not request any
> credentials. It thing something is blocking the basic auth in this setup.
>
> Setup:
>
> Liferay 6.2 on Tomcat 7.2
>
> The security is configured in beans.xml like this:
>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxrs="http://cxf.apache.org/jaxrs"
> xmlns:aop="http://www.springframework.org/schema/aop"
> xmlns:security="http://www.springframework.org/schema/security"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
> http://www.springframework.org/schema/aop
> http://www.springframework.org/schema/aop/spring-aop.xsd
> http://www.springframework.org/schema/security
> http://www.springframework.org/schema/security/spring-security-3.2.xsd
> http://cxf.apache.org/jaxrs
> http://cxf.apache.org/schemas/jaxrs.xsd">
> <import resource="classpath:META-INF/cxf/cxf.xml"/>
> <import resource="classpath:META-INF/cxf/cxf-servlet.xml"/>
> <jaxrs:server id="webservice" address="/">
> <jaxrs:serviceBeans>
> <ref bean="webservice10"/>
> </jaxrs:serviceBeans>
> <jaxrs:providers>
> <bean class="fi.dise.ws.SecurityExceptionMapper"/>
> <bean
> class="com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider"/>
> </jaxrs:providers>
> </jaxrs:server>
> <bean id="webservice10" class="fi.dise.ws.WebServiceImpl" />
> <!--
> <bean
> class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
> id="passwordEncoder"/>
> -->
> <security:global-method-security secured-annotations="enabled" />
> <security:http auto-config="true">
> <security:http-basic/>
> </security:http>
> <security:authentication-manager>
> <security:authentication-provider>
> <!-- it is possible to md5 encode these passwords, or use a
> SQL backed or a custom bean for this. -->
> <!-- <security:password-encoder ref="passwordEncoder"/> -->
> <security:user-service>
> <security:user name="tmr" password="xxxx"
> authorities="ROLE_TMR"/>
> </security:user-service>
> </security:authentication-provider>
> </security:authentication-manager>
> </beans>
>
> Any ideas? The config should be OK, but does not work when the security
> is uncommented like this. Could Liferay or Tomcat somehow cause this?
>
Re: Trouble with CXF jaxrs Basic auth (on Liferay/Tomcat platform)
Posted by Jari Fredriksson <ja...@iki.fi>.
On 20.03.2015 18:10, Jari Fredriksson wrote:
> I have created a RESTful service, and it work OK w/o authentication.
> Trying to setup basic auth using Spring Security 3.2.6 on top of that.
>
> The problem is that when when I have @Secured the services, the system
> always tells me that "Forbidden".
>
> For example this service:
>
> @Path("/1.0/")
> @Consumes(MediaType.APPLICATION_JSON)
> @Produces(MediaType.APPLICATION_JSON)
> public interface WebService
> {
> /**
> * Can be used to test the connection and service.
> *
> * @return Response with message: pong
> */
> @GET
> @Path("/ping")
> @Secured({"ROLE_TMR", "ROLE_ADMIN"})
> public Response ping();
>
> will return Forbidden always, and the browser does not request any
> credentials. It thing something is blocking the basic auth in this setup.
>
> Setup:
>
> Liferay 6.2 on Tomcat 7.2
>
> The security is configured in beans.xml like this:
>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxrs="http://cxf.apache.org/jaxrs"
> xmlns:aop="http://www.springframework.org/schema/aop"
> xmlns:security="http://www.springframework.org/schema/security"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
> http://www.springframework.org/schema/aop
> http://www.springframework.org/schema/aop/spring-aop.xsd
> http://www.springframework.org/schema/security
> http://www.springframework.org/schema/security/spring-security-3.2.xsd
> http://cxf.apache.org/jaxrs
> http://cxf.apache.org/schemas/jaxrs.xsd">
> <import resource="classpath:META-INF/cxf/cxf.xml"/>
> <import resource="classpath:META-INF/cxf/cxf-servlet.xml"/>
> <jaxrs:server id="webservice" address="/">
> <jaxrs:serviceBeans>
> <ref bean="webservice10"/>
> </jaxrs:serviceBeans>
> <jaxrs:providers>
> <bean class="fi.dise.ws.SecurityExceptionMapper"/>
> <bean
> class="com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider"/>
> </jaxrs:providers>
> </jaxrs:server>
> <bean id="webservice10" class="fi.dise.ws.WebServiceImpl" />
> <!--
> <bean
> class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
> id="passwordEncoder"/>
> -->
> <security:global-method-security secured-annotations="enabled" />
> <security:http auto-config="true">
> <security:http-basic/>
> </security:http>
> <security:authentication-manager>
> <security:authentication-provider>
> <!-- it is possible to md5 encode these passwords, or use a
> SQL backed or a custom bean for this. -->
> <!-- <security:password-encoder ref="passwordEncoder"/> -->
> <security:user-service>
> <security:user name="tmr" password="xxxx"
> authorities="ROLE_TMR"/>
> </security:user-service>
> </security:authentication-provider>
> </security:authentication-manager>
> </beans>
>
> Any ideas? The config should be OK, but does not work when the security
> is uncommented like this. Could Liferay or Tomcat somehow cause this?
>
Appears it worked OK all the time.
wget and GET did not somehow send the Authentication header, but curl
--basic sends it, and it just works.
--
jarif.bit