You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by johnrock <jo...@yahoo.com> on 2010/02/16 02:48:24 UTC
Re: Is it possible to integrate CXF JAX-RS with Spring Security
2.0.5 ?
Andreas Veithen-2 wrote:
>
> Yes, provided that the client propagates the HTTP session, i.e. the
> requests to the JAX-RS services contain a JSESSIONID cookie, and that
> the Spring Security filters are applied to the JAX-RS endpoints as
> well.
> Andreas
>
I am trying to bring my implementation in line with the great examples you
have steered me towards. At the risk of seeming naive, can I ask what the
'Injectable' interface that is implemented in SecureBookStore all about?
How do I implement this?
i.e.
@Path("/bookstorestorage/")
public class SecureBookStore implements SecureBookInterface, Injectable {
...
--
View this message in context: http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27602675.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5 ?
Posted by Sergey Beryozkin <sb...@progress.com>.
But you probably won't need an interface like Injectable if CGLIB is used by Spring to proxify...
----- Original Message -----
From: "Sergey Beryozkin" <sb...@progress.com>
To: <us...@cxf.apache.org>
Sent: Tuesday, February 16, 2010 9:41 AM
Subject: Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5 ?
Hi
'Injectable' is a custom interface used by the test and its only purpose is to ensure a JAXRS context instance (SecurityContext in
this case) is injected properly, given that the actual resource class (SecureBookStore) is proxified by Spring. For cases like this
one, having a custom utility interface like Injectable IMHO is better than adding methods like setSecurityContext on the application
interfaces like SecureBookInterface.
cheers, Sergey
Andreas Veithen-2 wrote:
>
> Yes, provided that the client propagates the HTTP session, i.e. the
> requests to the JAX-RS services contain a JSESSIONID cookie, and that
> the Spring Security filters are applied to the JAX-RS endpoints as
> well.
> Andreas
>
I am trying to bring my implementation in line with the great examples you
have steered me towards. At the risk of seeming naive, can I ask what the
'Injectable' interface that is implemented in SecureBookStore all about?
How do I implement this?
i.e.
@Path("/bookstorestorage/")
public class SecureBookStore implements SecureBookInterface, Injectable {
...
--
View this message in context:
http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27602675.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5
?
Posted by Andreas Veithen <an...@gmail.com>.
On Wed, Feb 17, 2010 at 14:46, johnrock <jo...@yahoo.com> wrote:
>
> Thank you for the link to that wiki. Very helpful. To quote from there:
>
> "If Spring Security is used for authentication, then CXF's SecurityContext
> is not initialized automatically. cxf-spring-security provides an
> interceptor that can be used if this is required. This interceptor adapts an
> authenticated Authentication object found in the current Exchange to the
> org.apache.cxf.security.SecurityContext interface and adds it to the current
> message. Authorities in the Authentication object are mapped one-to-one to
> roles in the SecurityContext.
> ...
>
> Setting up Spring's security context: <ssec:spring-security-context-feature>
> ...
>
> This makes it clear that an interceptor would not be the right place to
> manage Spring's security context. cxf-spring-security solves this issue with
> the help of a org.apache.cxf.service.invoker.Invoker proxy that will be
> installed in front of the real invoker (whose responsibility is to dispatch
> to the right method of the service implementation). This proxy sets up the
> security context before delegating to the real invoker and removes it after
> completion. "
>
> Doesn't this imply that either an Interceptor or custom invoker is required
> ? My example is not currently using either approach. Is there an example
> that uses an Interceptor or Invoker to set up the Security Context?
The document (and the components it describes) actually focuses on
those scenarios where CXF drives the overall process and where
authentication and authorization needs to be delegated properly to
Spring Security. This is the case for scenarios that use WS-Security,
protocols other than HTTP or where for some reason one doesn't want to
use the Spring Security servlet filters. In your scenario, Spring
Security is in control from the very beginning of request processing.
I think that Sergey is correct when he says that CXF actually builds
the org.apache.cxf.security.SecurityContext (and thus the
javax.ws.rs.core.SecurityContext), so that your scenario should
actually work out of the box. More on this later.
> --
> View this message in context: http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27623838.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5 ?
Posted by Sergey Beryozkin <sb...@progress.com>.
Hi Andreas, thanks for the clarification.
Regarding oneway operations : the JAXRS runtime also supports them now, one can either pass a OnewayRequest (HTTP or JMS) header or
set an org.apache.cxf.jaxrs.ext.Oneway annotation on a given method. WADL will show a 202 status for such operations...
cheers, Sergey
----- Original Message -----
From: "Andreas Veithen" <an...@gmail.com>
To: <us...@cxf.apache.org>
Sent: Wednesday, February 17, 2010 8:06 PM
Subject: Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5 ?
On Wed, Feb 17, 2010 at 15:57, Sergey Beryozkin <sb...@progress.com> wrote:
> Hi
>
> Have a look at
> http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
>
> This custom invoker is used in one of the tests (I linked to earlier on) so
> clearly the org.apache.cxf.security.SecurityContext gets initialized), that
> is JAXRs SecurityContextImpl gets the Principal from the current
> org.apache.cxf.security.SecurityContext.
You are right. I think the complete explanation is as follows: The
default filter configuration in Spring Security includes
SecurityContextHolderAwareRequestFilter which replaces the
ServletRequest with a request wrapper that overrides the
getUserPrincipal and isUserInRole methods so that they return
information from Spring Security. CXF's HTTP transport uses that
information to build a org.apache.cxf.security.SecurityContext and the
JAX-RS front-end will use that to inject
javax.ws.rs.core.SecurityContext instances. In addition, the servlet
filters by default also bind the Authentication object to the thread,
which is a prerequisite to using method level authorization. Thus,
John's scenario should indeed be supported by CXF out of the box.
Does that sound correct?
I will use these findings to update the document, so that it clearly
explains which scenarios are supported out of the box and which
scenarios require additional integration.
> I think Andreas was referring earlier on to oneway invocations ?
> cheers, Sergey
There are indeed additional concerns with oneway invocations, but that
only applies to JAX-WS. The statement "This makes it clear that an
interceptor would not be the right place to manage Spring's security
context" primarily refers to the fact that the security context needs
to be cleaned up after the invocation of the service implementation.
In John's scenario this is done by the servlet filters, but in
scenarios that use WS-Security this is a bit more tricky.
> ----- Original Message ----- From: "johnrock" <jo...@yahoo.com>
> To: <us...@cxf.apache.org>
> Sent: Wednesday, February 17, 2010 1:46 PM
> Subject: Re: Is it possible to integrate CXF JAX-RS with Spring Security
> 2.0.5 ?
>
>
>
> Thank you for the link to that wiki. Very helpful. To quote from there:
>
> "If Spring Security is used for authentication, then CXF's SecurityContext
> is not initialized automatically. cxf-spring-security provides an
> interceptor that can be used if this is required. This interceptor adapts an
> authenticated Authentication object found in the current Exchange to the
> org.apache.cxf.security.SecurityContext interface and adds it to the current
> message. Authorities in the Authentication object are mapped one-to-one to
> roles in the SecurityContext.
> ...
>
> Setting up Spring's security context: <ssec:spring-security-context-feature>
> ...
>
> This makes it clear that an interceptor would not be the right place to
> manage Spring's security context. cxf-spring-security solves this issue with
> the help of a org.apache.cxf.service.invoker.Invoker proxy that will be
> installed in front of the real invoker (whose responsibility is to dispatch
> to the right method of the service implementation). This proxy sets up the
> security context before delegating to the real invoker and removes it after
> completion. "
>
> Doesn't this imply that either an Interceptor or custom invoker is required
> ? My example is not currently using either approach. Is there an example
> that uses an Interceptor or Invoker to set up the Security Context?
>
> --
> View this message in context:
> http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27623838.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5
?
Posted by Andreas Veithen <an...@gmail.com>.
On Wed, Feb 17, 2010 at 15:57, Sergey Beryozkin <sb...@progress.com> wrote:
> Hi
>
> Have a look at
> http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
>
> This custom invoker is used in one of the tests (I linked to earlier on) so
> clearly the org.apache.cxf.security.SecurityContext gets initialized), that
> is JAXRs SecurityContextImpl gets the Principal from the current
> org.apache.cxf.security.SecurityContext.
You are right. I think the complete explanation is as follows: The
default filter configuration in Spring Security includes
SecurityContextHolderAwareRequestFilter which replaces the
ServletRequest with a request wrapper that overrides the
getUserPrincipal and isUserInRole methods so that they return
information from Spring Security. CXF's HTTP transport uses that
information to build a org.apache.cxf.security.SecurityContext and the
JAX-RS front-end will use that to inject
javax.ws.rs.core.SecurityContext instances. In addition, the servlet
filters by default also bind the Authentication object to the thread,
which is a prerequisite to using method level authorization. Thus,
John's scenario should indeed be supported by CXF out of the box.
Does that sound correct?
I will use these findings to update the document, so that it clearly
explains which scenarios are supported out of the box and which
scenarios require additional integration.
> I think Andreas was referring earlier on to oneway invocations ?
> cheers, Sergey
There are indeed additional concerns with oneway invocations, but that
only applies to JAX-WS. The statement "This makes it clear that an
interceptor would not be the right place to manage Spring's security
context" primarily refers to the fact that the security context needs
to be cleaned up after the invocation of the service implementation.
In John's scenario this is done by the servlet filters, but in
scenarios that use WS-Security this is a bit more tricky.
> ----- Original Message ----- From: "johnrock" <jo...@yahoo.com>
> To: <us...@cxf.apache.org>
> Sent: Wednesday, February 17, 2010 1:46 PM
> Subject: Re: Is it possible to integrate CXF JAX-RS with Spring Security
> 2.0.5 ?
>
>
>
> Thank you for the link to that wiki. Very helpful. To quote from there:
>
> "If Spring Security is used for authentication, then CXF's SecurityContext
> is not initialized automatically. cxf-spring-security provides an
> interceptor that can be used if this is required. This interceptor adapts an
> authenticated Authentication object found in the current Exchange to the
> org.apache.cxf.security.SecurityContext interface and adds it to the current
> message. Authorities in the Authentication object are mapped one-to-one to
> roles in the SecurityContext.
> ...
>
> Setting up Spring's security context: <ssec:spring-security-context-feature>
> ...
>
> This makes it clear that an interceptor would not be the right place to
> manage Spring's security context. cxf-spring-security solves this issue with
> the help of a org.apache.cxf.service.invoker.Invoker proxy that will be
> installed in front of the real invoker (whose responsibility is to dispatch
> to the right method of the service implementation). This proxy sets up the
> security context before delegating to the real invoker and removes it after
> completion. "
>
> Doesn't this imply that either an Interceptor or custom invoker is required
> ? My example is not currently using either approach. Is there an example
> that uses an Interceptor or Invoker to set up the Security Context?
>
> --
> View this message in context:
> http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27623838.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5 ?
Posted by Sergey Beryozkin <sb...@progress.com>.
Hi
Have a look at
http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
This custom invoker is used in one of the tests (I linked to earlier on) so clearly the org.apache.cxf.security.SecurityContext gets
initialized), that is JAXRs SecurityContextImpl gets the Principal from the current org.apache.cxf.security.SecurityContext.
I think Andreas was referring earlier on to oneway invocations ?
cheers, Sergey
----- Original Message -----
From: "johnrock" <jo...@yahoo.com>
To: <us...@cxf.apache.org>
Sent: Wednesday, February 17, 2010 1:46 PM
Subject: Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5 ?
Thank you for the link to that wiki. Very helpful. To quote from there:
"If Spring Security is used for authentication, then CXF's SecurityContext
is not initialized automatically. cxf-spring-security provides an
interceptor that can be used if this is required. This interceptor adapts an
authenticated Authentication object found in the current Exchange to the
org.apache.cxf.security.SecurityContext interface and adds it to the current
message. Authorities in the Authentication object are mapped one-to-one to
roles in the SecurityContext.
...
Setting up Spring's security context: <ssec:spring-security-context-feature>
...
This makes it clear that an interceptor would not be the right place to
manage Spring's security context. cxf-spring-security solves this issue with
the help of a org.apache.cxf.service.invoker.Invoker proxy that will be
installed in front of the real invoker (whose responsibility is to dispatch
to the right method of the service implementation). This proxy sets up the
security context before delegating to the real invoker and removes it after
completion. "
Doesn't this imply that either an Interceptor or custom invoker is required
? My example is not currently using either approach. Is there an example
that uses an Interceptor or Invoker to set up the Security Context?
--
View this message in context:
http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27623838.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Is it possible to integrate CXF JAX-RS with Spring Security
2.0.5 ?
Posted by johnrock <jo...@yahoo.com>.
Thank you for the link to that wiki. Very helpful. To quote from there:
"If Spring Security is used for authentication, then CXF's SecurityContext
is not initialized automatically. cxf-spring-security provides an
interceptor that can be used if this is required. This interceptor adapts an
authenticated Authentication object found in the current Exchange to the
org.apache.cxf.security.SecurityContext interface and adds it to the current
message. Authorities in the Authentication object are mapped one-to-one to
roles in the SecurityContext.
...
Setting up Spring's security context: <ssec:spring-security-context-feature>
...
This makes it clear that an interceptor would not be the right place to
manage Spring's security context. cxf-spring-security solves this issue with
the help of a org.apache.cxf.service.invoker.Invoker proxy that will be
installed in front of the real invoker (whose responsibility is to dispatch
to the right method of the service implementation). This proxy sets up the
security context before delegating to the real invoker and removes it after
completion. "
Doesn't this imply that either an Interceptor or custom invoker is required
? My example is not currently using either approach. Is there an example
that uses an Interceptor or Invoker to set up the Security Context?
--
View this message in context: http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27623838.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5
?
Posted by Andreas Veithen <an...@gmail.com>.
On Wed, Feb 17, 2010 at 05:47, johnrock <jo...@yahoo.com> wrote:
>
>
> Sergey Beryozkin-2 wrote:
>>
>> Hi
>>
>> 'Injectable' is a custom interface used by the test and its only purpose
>> is to ensure a JAXRS context instance (SecurityContext in
>> this case) is injected properly, given that the actual resource class
>> (SecureBookStore) is proxified by Spring. For cases like this
>> one, having a custom utility interface like Injectable IMHO is better than
>> adding methods like setSecurityContext on the application
>> interfaces like SecureBookInterface.
>>
>> cheers, Sergey
>>
>
> Thanks again for your help. I am still not able to get an authenticated user
> to pass through a secured method on my webservice. Spring Security is
> securing the method, but will not allow a user to enter that method even if
> the user is currently logged in with the correct ROLES.
>
> My implementation seems pretty close to the Test example, however, my
> 'beans.xml' is much simpler and my spring security context is different. I
> am posting the cxf config, spring security config and my service bean
> interface in hopes that maybe something that I am doing wrong will jump out
> at you !
I think the best approach to solve this is to increase the log level
for Spring Security and try to understand where the access is denied.
> PS: I am passing the Context in to my method as a parameter thinking that is
> neccessary since Spring creates singleton beans and I need a context per
> request. Is that correct?
Note that there are actually three classes called "SecurityContext":
javax.ws.rs.core.SecurityContext,
org.apache.cxf.security.SecurityContext and
org.springframework.security.context.SecurityContext. Assuming that
your code refers to javax.ws.rs.core.SecurityContext, this will
definitely not work (out of the box), because CXF knows nothing about
Spring Security and so would be unable to build a
javax.ws.rs.core.SecurityContext instance.
Some time ago I wrote a component [1] that translates a
org.springframework.security.context.SecurityContext into a
org.apache.cxf.security.SecurityContext. The JAX-RS front-end will
then translate this into a javax.ws.rs.core.SecurityContext and inject
this object if required. However, the interceptor assumes that the
org.springframework.security.context.SecurityContext object is stored
in the current Exchange. Thus, one would have to implement another
interceptor to retrieve the context from Spring and add it to the
current Exchange. With this, CXF should integrate nicely with Spring
Security.
Another option is to use a Spring specific API, namely
SecurityContextHolder. Note that this does NOT use the singleton
pattern, but a thread local, so that you have a different context per
request.
[1] Look for <ssec:cxf-security-context-provider-interceptor> in
http://code.google.com/p/cxf-spring-security/wiki/Documentation
>
> cxf.xml
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxrs="http://cxf.apache.org/jaxrs"
> xmlns:cxf="http://cxf.apache.org/core"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
> http://cxf.apache.org/jaxrs
> http://cxf.apache.org/schemas/jaxrs.xsd
> http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd">
>
>
> <import resource="classpath:META-INF/cxf/cxf.xml"/>
> <import
> resource="classpath:META-INF/cxf/cxf-extension-jaxrs-binding.xml"/>
> <import resource="classpath:META-INF/cxf/cxf-servlet.xml"/>
>
>
> <!-- The service bean -->
> <bean id="gatewayService" class="com.mg.webservice.GatewayServiceImpl">
> <property name="userDao" ref="userDao" />
> <property name="payloadService" ref="payloadService" />
> </bean>
>
> <jaxrs:server id="cxfgateway" address="/cxfgatewayaddress">
> <jaxrs:serviceBeans>
> <ref bean="gatewayService"/>
> </jaxrs:serviceBeans>
> </beans>
>
>
> security.xml
>
>
> <beans:beans xmlns="http://www.springframework.org/schema/security"
> xmlns:beans="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
> http://www.springframework.org/schema/security
> http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
>
>
> <global-method-security secured-annotations="enabled"
> access-decision-manager-ref="accessDecisionManager" />
>
> <http auto-config="false"
> access-decision-manager-ref="accessDecisionManager"
> access-denied-page="/accessDenied.html"
> entry-point-ref="authenticationProcessingFilterEntryPoint"
> lowercase-comparisons="true"
> session-fixation-protection="migrateSession">
>
>
> <intercept-url pattern="/favicon.ico" filters="none"/>
> <intercept-url pattern="/css/*.css" filters="none"/>
> <intercept-url pattern="/audio/*.*" filters="none"/>
> <intercept-url pattern="/images/*.*" filters="none"/>
> <intercept-url pattern="/images/*/*.*" filters="none"/>
> <intercept-url pattern="/js/*.js" filters="none"/>
>
> ....
>
> <intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
>
> <logout logout-success-url="/notLoggedIn.htm" logout-url
> ="/mglogout" />
> <anonymous username="guest" granted-authority="ROLE_GUEST" />
> <concurrent-session-control max-sessions="1" />
> </http>
>
>
> <authentication-manager alias="authenticationManager"/>
>
> <authentication-provider user-service-ref="userDao">
> <password-encoder ref="passwordEncoder" >
> <salt-source user-property="getId"/>
> </password-encoder>
> </authentication-provider>
>
> <beans:bean id="passwordEncoder"
> class="org.springframework.security.providers.encoding.Md5PasswordEncoder">
> </beans:bean>
>
> <beans:bean id="saltSource"
> class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
> <beans:property name="userPropertyToUse" value="getId"/>
> </beans:bean>
>
>
>
> <beans:bean id="authenticationProcessingFilter"
> class="com.mg.security.mgAuthenticationProcessingFilter">
> <custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
> <beans:property name="filterProcessesUrl" value="/mglogin" />
> <beans:property name="defaultTargetUrl" value="/loggedIn.htm" />
> <beans:property name="alwaysUseDefaultTargetUrl" value="true" />
> <beans:property name="authenticationFailureUrl" value="/loginfailure.htm"
> />
> <beans:property name="authenticationManager" ref="authenticationManager"
> />
> <beans:property name="userSessionDao" ref="userSessionDao" />
> <beans:property name="notificationService" ref="notificationService" />
> </beans:bean>
>
> <beans:bean id="authenticationProcessingFilterEntryPoint"
> class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
> <beans:property name="loginFormUrl" value="/login.htm" />
> <beans:property name="forceHttps" value="false" />
> </beans:bean>
>
>
> <beans:bean id="accessDecisionManager"
> class="org.springframework.security.vote.AffirmativeBased">
> <beans:property name="decisionVoters">
> <beans:list>
> <beans:bean
> class="org.springframework.security.vote.RoleVoter" />
> <beans:bean
> class="org.springframework.security.vote.AuthenticatedVoter" />
> </beans:list>
> </beans:property>
> </beans:bean>
> </beans:beans>
>
>
> Service Interface:
>
>
> @Path("/enter")
> @Produces("application/XML")
> public interface GatewayService {
>
> @GET
> @Path("/recentQuestions/{firstResult}")
> public List<Question> getRecentQuestions(@PathParam("firstResult") int
> firstResult);
>
> @GET
> @Path("/convo/{nId}/{qId}")
> public ActiveDisplay readConversation (@PathParam("nId")Long nId,
> @PathParam("qId")Long qId);
>
>
> @GET
> @Path("/payload")
> @Secured({"ROLE_USER","ROLE_ADMIN"})
> public Response makePayload(@Context SecurityContext securityContext,
> @Context Request request, @Context HttpServletRequest httpServletRequest);
>
> }
>
> --
> View this message in context: http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27619097.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: Is it possible to integrate CXF JAX-RS with Spring Security
2.0.5 ?
Posted by johnrock <jo...@yahoo.com>.
Sergey Beryozkin-2 wrote:
>
> ...One thing that I noticed is that you use URI patterns in the
> configuration but also @Secured in the actual resource. Can it
> actually work ? I'm not sure about it...Also, I'm assuming you've added a
> Spring Security filter to the web.xml...
>
> cheers, Sergey
>
Sergey and Andreas, you two have been enormously helpful and I cannot thank
you enough.
I believe I have resolved my main problem. I gave some more heed to Sergey's
comment about using both URI patterns in the config and also the @Secured
annotation, so I tried removing the @Secured and only using URI patterns.
Voila, all of a sudden the Spring Security context was showing up in my
service method with a proper Authentication object. This should work fine
for me as I don't think it is essential that I map the security on the
method level (unless I am missing something still ....?).
Also, it may still be possible for me to use method level @Secured
annotations if I clean up my URI patterns and make sure I am not trapping a
URI more than once, but I have not yet had time to verify and test this.
Dinner is on me if you guys are anywhere near NYC!
Thanks
John
--
View this message in context: http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27634606.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5 ?
Posted by Sergey Beryozkin <sb...@progress.com>.
Hi
I'm not a Spring Security practitioner so I'm afraid I can not be of much help here, perhaps experts like Andreas and others can
advise something but you may be better off asking it on the Spring Security forum...
One thing that I noticed is that you use URI patterns in the configuration but also @Secured in the actual resource. Can it
actually work ? I'm not sure about it...Also, I'm assuming you've added a Spring Security filter to the web.xml...
cheers, Sergey
Sergey Beryozkin-2 wrote:
>
> Hi
>
> 'Injectable' is a custom interface used by the test and its only purpose
> is to ensure a JAXRS context instance (SecurityContext in
> this case) is injected properly, given that the actual resource class
> (SecureBookStore) is proxified by Spring. For cases like this
> one, having a custom utility interface like Injectable IMHO is better than
> adding methods like setSecurityContext on the application
> interfaces like SecureBookInterface.
>
> cheers, Sergey
>
Thanks again for your help. I am still not able to get an authenticated user
to pass through a secured method on my webservice. Spring Security is
securing the method, but will not allow a user to enter that method even if
the user is currently logged in with the correct ROLES.
My implementation seems pretty close to the Test example, however, my
'beans.xml' is much simpler and my spring security context is different. I
am posting the cxf config, spring security config and my service bean
interface in hopes that maybe something that I am doing wrong will jump out
at you !
PS: I am passing the Context in to my method as a parameter thinking that is
neccessary since Spring creates singleton beans and I need a context per
request. Is that correct?
cxf.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxrs="http://cxf.apache.org/jaxrs"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml"/>
<import
resource="classpath:META-INF/cxf/cxf-extension-jaxrs-binding.xml"/>
<import resource="classpath:META-INF/cxf/cxf-servlet.xml"/>
<!-- The service bean -->
<bean id="gatewayService" class="com.mg.webservice.GatewayServiceImpl">
<property name="userDao" ref="userDao" />
<property name="payloadService" ref="payloadService" />
</bean>
<jaxrs:server id="cxfgateway" address="/cxfgatewayaddress">
<jaxrs:serviceBeans>
<ref bean="gatewayService"/>
</jaxrs:serviceBeans>
</beans>
security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<global-method-security secured-annotations="enabled"
access-decision-manager-ref="accessDecisionManager" />
<http auto-config="false"
access-decision-manager-ref="accessDecisionManager"
access-denied-page="/accessDenied.html"
entry-point-ref="authenticationProcessingFilterEntryPoint"
lowercase-comparisons="true"
session-fixation-protection="migrateSession">
<intercept-url pattern="/favicon.ico" filters="none"/>
<intercept-url pattern="/css/*.css" filters="none"/>
<intercept-url pattern="/audio/*.*" filters="none"/>
<intercept-url pattern="/images/*.*" filters="none"/>
<intercept-url pattern="/images/*/*.*" filters="none"/>
<intercept-url pattern="/js/*.js" filters="none"/>
....
<intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
<logout logout-success-url="/notLoggedIn.htm" logout-url
="/mglogout" />
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<concurrent-session-control max-sessions="1" />
</http>
<authentication-manager alias="authenticationManager"/>
<authentication-provider user-service-ref="userDao">
<password-encoder ref="passwordEncoder" >
<salt-source user-property="getId"/>
</password-encoder>
</authentication-provider>
<beans:bean id="passwordEncoder"
class="org.springframework.security.providers.encoding.Md5PasswordEncoder">
</beans:bean>
<beans:bean id="saltSource"
class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
<beans:property name="userPropertyToUse" value="getId"/>
</beans:bean>
<beans:bean id="authenticationProcessingFilter"
class="com.mg.security.mgAuthenticationProcessingFilter">
<custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
<beans:property name="filterProcessesUrl" value="/mglogin" />
<beans:property name="defaultTargetUrl" value="/loggedIn.htm" />
<beans:property name="alwaysUseDefaultTargetUrl" value="true" />
<beans:property name="authenticationFailureUrl" value="/loginfailure.htm"
/>
<beans:property name="authenticationManager" ref="authenticationManager"
/>
<beans:property name="userSessionDao" ref="userSessionDao" />
<beans:property name="notificationService" ref="notificationService" />
</beans:bean>
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/login.htm" />
<beans:property name="forceHttps" value="false" />
</beans:bean>
<beans:bean id="accessDecisionManager"
class="org.springframework.security.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean
class="org.springframework.security.vote.RoleVoter" />
<beans:bean
class="org.springframework.security.vote.AuthenticatedVoter" />
</beans:list>
</beans:property>
</beans:bean>
</beans:beans>
Service Interface:
@Path("/enter")
@Produces("application/XML")
public interface GatewayService {
@GET
@Path("/recentQuestions/{firstResult}")
public List<Question> getRecentQuestions(@PathParam("firstResult") int
firstResult);
@GET
@Path("/convo/{nId}/{qId}")
public ActiveDisplay readConversation (@PathParam("nId")Long nId,
@PathParam("qId")Long qId);
@GET
@Path("/payload")
@Secured({"ROLE_USER","ROLE_ADMIN"})
public Response makePayload(@Context SecurityContext securityContext,
@Context Request request, @Context HttpServletRequest httpServletRequest);
}
--
View this message in context:
http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27619097.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Is it possible to integrate CXF JAX-RS with Spring Security
2.0.5 ?
Posted by johnrock <jo...@yahoo.com>.
Sergey Beryozkin-2 wrote:
>
> Hi
>
> 'Injectable' is a custom interface used by the test and its only purpose
> is to ensure a JAXRS context instance (SecurityContext in
> this case) is injected properly, given that the actual resource class
> (SecureBookStore) is proxified by Spring. For cases like this
> one, having a custom utility interface like Injectable IMHO is better than
> adding methods like setSecurityContext on the application
> interfaces like SecureBookInterface.
>
> cheers, Sergey
>
Thanks again for your help. I am still not able to get an authenticated user
to pass through a secured method on my webservice. Spring Security is
securing the method, but will not allow a user to enter that method even if
the user is currently logged in with the correct ROLES.
My implementation seems pretty close to the Test example, however, my
'beans.xml' is much simpler and my spring security context is different. I
am posting the cxf config, spring security config and my service bean
interface in hopes that maybe something that I am doing wrong will jump out
at you !
PS: I am passing the Context in to my method as a parameter thinking that is
neccessary since Spring creates singleton beans and I need a context per
request. Is that correct?
cxf.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxrs="http://cxf.apache.org/jaxrs"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd">
<import resource="classpath:META-INF/cxf/cxf.xml"/>
<import
resource="classpath:META-INF/cxf/cxf-extension-jaxrs-binding.xml"/>
<import resource="classpath:META-INF/cxf/cxf-servlet.xml"/>
<!-- The service bean -->
<bean id="gatewayService" class="com.mg.webservice.GatewayServiceImpl">
<property name="userDao" ref="userDao" />
<property name="payloadService" ref="payloadService" />
</bean>
<jaxrs:server id="cxfgateway" address="/cxfgatewayaddress">
<jaxrs:serviceBeans>
<ref bean="gatewayService"/>
</jaxrs:serviceBeans>
</beans>
security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<global-method-security secured-annotations="enabled"
access-decision-manager-ref="accessDecisionManager" />
<http auto-config="false"
access-decision-manager-ref="accessDecisionManager"
access-denied-page="/accessDenied.html"
entry-point-ref="authenticationProcessingFilterEntryPoint"
lowercase-comparisons="true"
session-fixation-protection="migrateSession">
<intercept-url pattern="/favicon.ico" filters="none"/>
<intercept-url pattern="/css/*.css" filters="none"/>
<intercept-url pattern="/audio/*.*" filters="none"/>
<intercept-url pattern="/images/*.*" filters="none"/>
<intercept-url pattern="/images/*/*.*" filters="none"/>
<intercept-url pattern="/js/*.js" filters="none"/>
....
<intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
<logout logout-success-url="/notLoggedIn.htm" logout-url
="/mglogout" />
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<concurrent-session-control max-sessions="1" />
</http>
<authentication-manager alias="authenticationManager"/>
<authentication-provider user-service-ref="userDao">
<password-encoder ref="passwordEncoder" >
<salt-source user-property="getId"/>
</password-encoder>
</authentication-provider>
<beans:bean id="passwordEncoder"
class="org.springframework.security.providers.encoding.Md5PasswordEncoder">
</beans:bean>
<beans:bean id="saltSource"
class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
<beans:property name="userPropertyToUse" value="getId"/>
</beans:bean>
<beans:bean id="authenticationProcessingFilter"
class="com.mg.security.mgAuthenticationProcessingFilter">
<custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
<beans:property name="filterProcessesUrl" value="/mglogin" />
<beans:property name="defaultTargetUrl" value="/loggedIn.htm" />
<beans:property name="alwaysUseDefaultTargetUrl" value="true" />
<beans:property name="authenticationFailureUrl" value="/loginfailure.htm"
/>
<beans:property name="authenticationManager" ref="authenticationManager"
/>
<beans:property name="userSessionDao" ref="userSessionDao" />
<beans:property name="notificationService" ref="notificationService" />
</beans:bean>
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/login.htm" />
<beans:property name="forceHttps" value="false" />
</beans:bean>
<beans:bean id="accessDecisionManager"
class="org.springframework.security.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean
class="org.springframework.security.vote.RoleVoter" />
<beans:bean
class="org.springframework.security.vote.AuthenticatedVoter" />
</beans:list>
</beans:property>
</beans:bean>
</beans:beans>
Service Interface:
@Path("/enter")
@Produces("application/XML")
public interface GatewayService {
@GET
@Path("/recentQuestions/{firstResult}")
public List<Question> getRecentQuestions(@PathParam("firstResult") int
firstResult);
@GET
@Path("/convo/{nId}/{qId}")
public ActiveDisplay readConversation (@PathParam("nId")Long nId,
@PathParam("qId")Long qId);
@GET
@Path("/payload")
@Secured({"ROLE_USER","ROLE_ADMIN"})
public Response makePayload(@Context SecurityContext securityContext,
@Context Request request, @Context HttpServletRequest httpServletRequest);
}
--
View this message in context: http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27619097.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Is it possible to integrate CXF JAX-RS with Spring Security 2.0.5 ?
Posted by Sergey Beryozkin <sb...@progress.com>.
Hi
'Injectable' is a custom interface used by the test and its only purpose is to ensure a JAXRS context instance (SecurityContext in
this case) is injected properly, given that the actual resource class (SecureBookStore) is proxified by Spring. For cases like this
one, having a custom utility interface like Injectable IMHO is better than adding methods like setSecurityContext on the application
interfaces like SecureBookInterface.
cheers, Sergey
Andreas Veithen-2 wrote:
>
> Yes, provided that the client propagates the HTTP session, i.e. the
> requests to the JAX-RS services contain a JSESSIONID cookie, and that
> the Spring Security filters are applied to the JAX-RS endpoints as
> well.
> Andreas
>
I am trying to bring my implementation in line with the great examples you
have steered me towards. At the risk of seeming naive, can I ask what the
'Injectable' interface that is implemented in SecureBookStore all about?
How do I implement this?
i.e.
@Path("/bookstorestorage/")
public class SecureBookStore implements SecureBookInterface, Injectable {
...
--
View this message in context:
http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27602675.html
Sent from the cxf-user mailing list archive at Nabble.com.