You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Steven Tippetts (JIRA)" <ji...@apache.org> on 2012/11/29 18:40:58 UTC
[jira] [Created] (CXF-4666) [OAuth2] securityContext problem on
createSubject
Steven Tippetts created CXF-4666:
------------------------------------
Summary: [OAuth2] securityContext problem on createSubject
Key: CXF-4666
URL: https://issues.apache.org/jira/browse/CXF-4666
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 2.7.0
Reporter: Steven Tippetts
This is probably just ignorance on my part, but when I override the createSubject method in the RedirecationBasedGrantService.java file, the securityContext parameter that is passed in is of type AbstractHTTPDestination$2. This parameter contains my authentication token, but I don't know how to get at it, so I'm having to go to the SecurityContextHolder to get the context instead of just using the parameter.
I'm just using standard Spring authentication, so it seems like many other people would also have AbstractHTTPDestination$2 as the security type, which causes roles to be missed in the OAuthUtils.createSubject method.
I'm sure I missed some details so please let know your questions and thanks for your help.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4666) [OAuth2] securityContext problem on
createSubject
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507309#comment-13507309 ]
Sergey Beryozkin commented on CXF-4666:
---------------------------------------
I've made the method where UserSubject is created protected and also updated it to check for UserSubject which may've already been created from filters/interceptors, so you can say register a custom RequestHandler filter, create UserSubject and do "message.setContent(UserSubject.class), mySubject" - this may be simpler than extending the class...
"the additional properties I'm interested in are: account id, surname, and given name." - OK, thanks, I thought may be I can get away with extending UserSubject :-)
> [OAuth2] securityContext problem on createSubject
> -------------------------------------------------
>
> Key: CXF-4666
> URL: https://issues.apache.org/jira/browse/CXF-4666
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> This is probably just ignorance on my part, but when I override the createSubject method in the RedirecationBasedGrantService.java file, the securityContext parameter that is passed in is of type AbstractHTTPDestination$2. This parameter contains my authentication token, but I don't know how to get at it, so I'm having to go to the SecurityContextHolder to get the context instead of just using the parameter.
> I'm just using standard Spring authentication, so it seems like many other people would also have AbstractHTTPDestination$2 as the security type, which causes roles to be missed in the OAuthUtils.createSubject method.
> I'm sure I missed some details so please let know your questions and thanks for your help.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CXF-4666) [OAuth2] securityContext problem
on createSubject
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507309#comment-13507309 ]
Sergey Beryozkin edited comment on CXF-4666 at 11/30/12 1:08 PM:
-----------------------------------------------------------------
I've made the method where UserSubject is created protected and also updated it to check for UserSubject which may've already been created from filters/interceptors, so you can say register a custom RequestHandler filter, create UserSubject and do "message.setContent(UserSubject.class, mySubject);" - this may be simpler than extending the class...
"the additional properties I'm interested in are: account id, surname, and given name." - OK, thanks, I thought may be I can get away with extending UserSubject :-)
was (Author: sergey_beryozkin):
I've made the method where UserSubject is created protected and also updated it to check for UserSubject which may've already been created from filters/interceptors, so you can say register a custom RequestHandler filter, create UserSubject and do "message.setContent(UserSubject.class), mySubject" - this may be simpler than extending the class...
"the additional properties I'm interested in are: account id, surname, and given name." - OK, thanks, I thought may be I can get away with extending UserSubject :-)
> [OAuth2] securityContext problem on createSubject
> -------------------------------------------------
>
> Key: CXF-4666
> URL: https://issues.apache.org/jira/browse/CXF-4666
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
> Fix For: 2.6.4, 2.7.1
>
>
> This is probably just ignorance on my part, but when I override the createSubject method in the RedirecationBasedGrantService.java file, the securityContext parameter that is passed in is of type AbstractHTTPDestination$2. This parameter contains my authentication token, but I don't know how to get at it, so I'm having to go to the SecurityContextHolder to get the context instead of just using the parameter.
> I'm just using standard Spring authentication, so it seems like many other people would also have AbstractHTTPDestination$2 as the security type, which causes roles to be missed in the OAuthUtils.createSubject method.
> I'm sure I missed some details so please let know your questions and thanks for your help.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4666) [OAuth2] securityContext problem on
createSubject
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506987#comment-13506987 ]
Steven Tippetts commented on CXF-4666:
--------------------------------------
Thanks for the info. I'll look into the CXF JAAS approach in the future, but for now I'll just get the context from ContextSecurityHolder.
Regarding CXF-4656, the additional properties I'm interested in are: account id, surname, and given name.
> [OAuth2] securityContext problem on createSubject
> -------------------------------------------------
>
> Key: CXF-4666
> URL: https://issues.apache.org/jira/browse/CXF-4666
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> This is probably just ignorance on my part, but when I override the createSubject method in the RedirecationBasedGrantService.java file, the securityContext parameter that is passed in is of type AbstractHTTPDestination$2. This parameter contains my authentication token, but I don't know how to get at it, so I'm having to go to the SecurityContextHolder to get the context instead of just using the parameter.
> I'm just using standard Spring authentication, so it seems like many other people would also have AbstractHTTPDestination$2 as the security type, which causes roles to be missed in the OAuthUtils.createSubject method.
> I'm sure I missed some details so please let know your questions and thanks for your help.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-4666) [OAuth2] securityContext problem on
createSubject
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4666?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin resolved CXF-4666.
-----------------------------------
Resolution: Fixed
Fix Version/s: 2.7.1
2.6.4
Assignee: Sergey Beryozkin
see r1415609
> [OAuth2] securityContext problem on createSubject
> -------------------------------------------------
>
> Key: CXF-4666
> URL: https://issues.apache.org/jira/browse/CXF-4666
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
> Assignee: Sergey Beryozkin
> Fix For: 2.6.4, 2.7.1
>
>
> This is probably just ignorance on my part, but when I override the createSubject method in the RedirecationBasedGrantService.java file, the securityContext parameter that is passed in is of type AbstractHTTPDestination$2. This parameter contains my authentication token, but I don't know how to get at it, so I'm having to go to the SecurityContextHolder to get the context instead of just using the parameter.
> I'm just using standard Spring authentication, so it seems like many other people would also have AbstractHTTPDestination$2 as the security type, which causes roles to be missed in the OAuthUtils.createSubject method.
> I'm sure I missed some details so please let know your questions and thanks for your help.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4666) [OAuth2] securityContext problem on
createSubject
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506666#comment-13506666 ]
Sergey Beryozkin commented on CXF-4666:
---------------------------------------
To be honest I'm not sure we can do anything about it and as such I would not treat it as a bug.
How about the following (Christian suggested something like that awhile back):
Postpone using Spring security at the servlet level and use CXF JAASLoginInterceptor instead, or may be for JAX-RS - org.apache.cxf.jaxrs.security.JAASAuthenticationFilter. It is very easy to use - just let it know the jaas context name and that is it.
Effectively it simply postpones the servlet-level authentication till later, once the call reaches CXF chain.
It will return org.apache.cxf.security.LoginSecurityContext - this is what the default UserSubject creation checks.
You can also check for some other Subject properties with LoginSecurityContext.
Next you can map LoginSecurityContext to Spring Security specific context and let it proceed...
That is the only I can suggest to be honest - would it work for you ?
By the way, as far as CXF-4656 is concerned, what other properties, apart from the principal name and its roles you are interested ?
> [OAuth2] securityContext problem on createSubject
> -------------------------------------------------
>
> Key: CXF-4666
> URL: https://issues.apache.org/jira/browse/CXF-4666
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> This is probably just ignorance on my part, but when I override the createSubject method in the RedirecationBasedGrantService.java file, the securityContext parameter that is passed in is of type AbstractHTTPDestination$2. This parameter contains my authentication token, but I don't know how to get at it, so I'm having to go to the SecurityContextHolder to get the context instead of just using the parameter.
> I'm just using standard Spring authentication, so it seems like many other people would also have AbstractHTTPDestination$2 as the security type, which causes roles to be missed in the OAuthUtils.createSubject method.
> I'm sure I missed some details so please let know your questions and thanks for your help.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira