You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Nikhil Kakade <ni...@velvetcase.com> on 2017/01/13 05:33:07 UTC
@Scopes annotation not working for method
Hi,
I am using Apache cxf OAuth2 for securing my jax-rs APIs. I am using cxf
3.1.5 version. As per described in documentation here
<http://cxf.apache.org/docs/jax-rs-oauth2.html>
starting from Apache cxf 3.1.5 @Scopes can be used for more fined-grained
scope handling. I am successfully able to generate access token for
specific approved scope. when I try to access my API by using this token,
ideally it should not allow me to access API since it has different access
scope mentioned in @Scopes annotation. But its allowing me to access this
API.
This is my API:
@GET@Consumes(MediaType.APPLICATION_JSON)@Produces(MediaType.APPLICATION_JSON)@Path("/exportSheets")@Scopes("testScope1")@ConfidentialClientString
exportSheets(@QueryParam("userId") Integer userId);
This is access token which I am using to access this API
{
"tokenKey": "f2154782f82947318d1fc363e4309fa6",
"tokenType": "Bearer",
"expiresIn": 3600,
"issuedAt": -1,
"parameters": {},
"approvedScope": "read"
}
As you can see, token contains approvedScope as read where API has
testScope1. Even if this scopes are not matching, it's allowing me to
access my API.
This is test configuration I have done for creating server endpoint.
@Bean@DependsOn("cxf")public Server ornateTestAPIs(){
JAXRSServerFactoryBean factory=jaxRSServerFactory();
factory.setAddress("/test");
factory.setServiceBeans(Arrays.asList(testApis));
factory.setProviders(Arrays.asList(jsonProvider(), new
VcAPIExceptionMapper(), oauthRequestFilter(), oauthScopesFilter());
factory.setFeatures(Arrays.asList(swaggerFeature(), timingFeature));
factory.setInInterceptors(
Arrays.<Interceptor<? extends Message>>asList(new
JAXRSBeanValidationInInterceptor()));
factory.setOutInterceptors(
Arrays.<Interceptor<? extends Message>>asList(new
JAXRSBeanValidationOutInterceptor()));
return factory.create();}
public OAuthRequestFilter oauthRequestFilter(){
OAuthRequestFilter requestFilter=new OAuthRequestFilter();
requestFilter.setDataProvider(oAuthDataProviderImpl());
return requestFilter;}public OAuthScopesFilter oauthScopesFilter(){
return new OAuthScopesFilter();}
As you can see, I have added OAuthScopeFilter and OAuthRequestFilter in
providers. This is my pom
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-oauth2</artifactId>
<version>3.1.9</version></dependency><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-cors</artifactId>
<version>3.1.9</version></dependency><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-frontend-jaxrs</artifactId>
<version>3.1.5</version></dependency><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-service-description</artifactId>
<version>3.1.5</version></dependency>
--
Best regards,
Nikhil Kakade
Re: @Scopes annotation not working for method
Posted by Nikhil Kakade <ni...@velvetcase.com>.
Thank you Sergey, it worked for me.
On Fri, Jan 13, 2017 at 11:27 PM, Sergey Beryozkin <sb...@gmail.com>
wrote:
> Hi
>
> OAuthScopesFilter has to be initialized with either a ref to a bean
> containing that method or initialized with a map (method to list of scopes).
>
> Sergey
> On 13/01/17 05:33, Nikhil Kakade wrote:
>
>> Hi,
>>
>> I am using Apache cxf OAuth2 for securing my jax-rs APIs. I am using cxf
>> 3.1.5 version. As per described in documentation here
>> <http://cxf.apache.org/docs/jax-rs-oauth2.html>
>>
>> starting from Apache cxf 3.1.5 @Scopes can be used for more fined-grained
>> scope handling. I am successfully able to generate access token for
>> specific approved scope. when I try to access my API by using this token,
>> ideally it should not allow me to access API since it has different access
>> scope mentioned in @Scopes annotation. But its allowing me to access this
>> API.
>>
>> This is my API:
>>
>> @GET@Consumes(MediaType.APPLICATION_JSON)@Produces(MediaType
>> .APPLICATION_JSON)@Path("/exportSheets")@Scopes("testSco
>> pe1")@ConfidentialClientString
>> exportSheets(@QueryParam("userId") Integer userId);
>>
>> This is access token which I am using to access this API
>>
>> {
>> "tokenKey": "f2154782f82947318d1fc363e4309fa6",
>> "tokenType": "Bearer",
>> "expiresIn": 3600,
>> "issuedAt": -1,
>> "parameters": {},
>> "approvedScope": "read"
>> }
>>
>> As you can see, token contains approvedScope as read where API has
>> testScope1. Even if this scopes are not matching, it's allowing me to
>> access my API.
>>
>> This is test configuration I have done for creating server endpoint.
>>
>> @Bean@DependsOn("cxf")public Server ornateTestAPIs(){
>>
>> JAXRSServerFactoryBean factory=jaxRSServerFactory();
>>
>> factory.setAddress("/test");
>>
>> factory.setServiceBeans(Arrays.asList(testApis));
>> factory.setProviders(Arrays.asList(jsonProvider(), new
>> VcAPIExceptionMapper(), oauthRequestFilter(), oauthScopesFilter());
>> factory.setFeatures(Arrays.asList(swaggerFeature(), timingFeature));
>> factory.setInInterceptors(
>> Arrays.<Interceptor<? extends Message>>asList(new
>> JAXRSBeanValidationInInterceptor()));
>> factory.setOutInterceptors(
>> Arrays.<Interceptor<? extends Message>>asList(new
>> JAXRSBeanValidationOutInterceptor()));
>> return factory.create();}
>> public OAuthRequestFilter oauthRequestFilter(){
>> OAuthRequestFilter requestFilter=new OAuthRequestFilter();
>> requestFilter.setDataProvider(oAuthDataProviderImpl());
>> return requestFilter;}public OAuthScopesFilter oauthScopesFilter(){
>> return new OAuthScopesFilter();}
>>
>> As you can see, I have added OAuthScopeFilter and OAuthRequestFilter in
>> providers. This is my pom
>>
>> <dependency>
>> <groupId>org.apache.cxf</groupId>
>> <artifactId>cxf-rt-rs-security-oauth2</artifactId>
>> <version>3.1.9</version></dependency><dependency>
>> <groupId>org.apache.cxf</groupId>
>> <artifactId>cxf-rt-rs-security-cors</artifactId>
>> <version>3.1.9</version></dependency><dependency>
>> <groupId>org.apache.cxf</groupId>
>> <artifactId>cxf-rt-frontend-jaxrs</artifactId>
>> <version>3.1.5</version></dependency><dependency>
>> <groupId>org.apache.cxf</groupId>
>> <artifactId>cxf-rt-rs-service-description</artifactId>
>> <version>3.1.5</version></dependency>
>>
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
--
Best regards,
Nikhil Kakade
Software Engineer
Re: @Scopes annotation not working for method
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
OAuthScopesFilter has to be initialized with either a ref to a bean
containing that method or initialized with a map (method to list of scopes).
Sergey
On 13/01/17 05:33, Nikhil Kakade wrote:
> Hi,
>
> I am using Apache cxf OAuth2 for securing my jax-rs APIs. I am using cxf
> 3.1.5 version. As per described in documentation here
> <http://cxf.apache.org/docs/jax-rs-oauth2.html>
>
> starting from Apache cxf 3.1.5 @Scopes can be used for more fined-grained
> scope handling. I am successfully able to generate access token for
> specific approved scope. when I try to access my API by using this token,
> ideally it should not allow me to access API since it has different access
> scope mentioned in @Scopes annotation. But its allowing me to access this
> API.
>
> This is my API:
>
> @GET@Consumes(MediaType.APPLICATION_JSON)@Produces(MediaType.APPLICATION_JSON)@Path("/exportSheets")@Scopes("testScope1")@ConfidentialClientString
> exportSheets(@QueryParam("userId") Integer userId);
>
> This is access token which I am using to access this API
>
> {
> "tokenKey": "f2154782f82947318d1fc363e4309fa6",
> "tokenType": "Bearer",
> "expiresIn": 3600,
> "issuedAt": -1,
> "parameters": {},
> "approvedScope": "read"
> }
>
> As you can see, token contains approvedScope as read where API has
> testScope1. Even if this scopes are not matching, it's allowing me to
> access my API.
>
> This is test configuration I have done for creating server endpoint.
>
> @Bean@DependsOn("cxf")public Server ornateTestAPIs(){
> JAXRSServerFactoryBean factory=jaxRSServerFactory();
>
> factory.setAddress("/test");
>
> factory.setServiceBeans(Arrays.asList(testApis));
> factory.setProviders(Arrays.asList(jsonProvider(), new
> VcAPIExceptionMapper(), oauthRequestFilter(), oauthScopesFilter());
> factory.setFeatures(Arrays.asList(swaggerFeature(), timingFeature));
> factory.setInInterceptors(
> Arrays.<Interceptor<? extends Message>>asList(new
> JAXRSBeanValidationInInterceptor()));
> factory.setOutInterceptors(
> Arrays.<Interceptor<? extends Message>>asList(new
> JAXRSBeanValidationOutInterceptor()));
> return factory.create();}
> public OAuthRequestFilter oauthRequestFilter(){
> OAuthRequestFilter requestFilter=new OAuthRequestFilter();
> requestFilter.setDataProvider(oAuthDataProviderImpl());
> return requestFilter;}public OAuthScopesFilter oauthScopesFilter(){
> return new OAuthScopesFilter();}
>
> As you can see, I have added OAuthScopeFilter and OAuthRequestFilter in
> providers. This is my pom
>
> <dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-rs-security-oauth2</artifactId>
> <version>3.1.9</version></dependency><dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-rs-security-cors</artifactId>
> <version>3.1.9</version></dependency><dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-frontend-jaxrs</artifactId>
> <version>3.1.5</version></dependency><dependency>
> <groupId>org.apache.cxf</groupId>
> <artifactId>cxf-rt-rs-service-description</artifactId>
> <version>3.1.5</version></dependency>
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/