You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Mark Ford <ma...@massfords.com> on 2015/03/16 18:57:05 UTC

looking for JAX-R sub-resource with PreAuthorize example

I'm using Spring Security with annotations. I have the following config
enabled in my context:

<sec:global-method-security pre-post-annotations="enabled"/>

As a result, all of my JAX-RS service interfaces annotated with
PreAuthorize pass through Spring Security and all is well. However, I'm not
able to get the PreAuthorize annotations on my sub-resources to fire. I
suspect that this is because the sub-resources are created on the fly from
their parent resource and thus do not get the benefit of Spring's security
proxy.

CXF-2709 [1] described a very similar issue and is marked as closed but I
don't see an example of how to get this to work. I followed the
CustomJAXRSInvoker [2] example and effectively recreated portions of Spring
Security in my own custom invoker. While this works, it doesn't seem like
the right approach. It would be great if the spring-security example [3]
was updated slightly to show a security annotation on a sub-resource.

My current workaround is as follows:
- comment out the global-method-security element because the JAXRS Invoker
is going to be doing this work for resource and sub-resources
- configure a custom subclass of JAXRSInvoker as the jaxrs:invoker for the
container
- have the invoker delegate to an instance of a
PreInvocationAuthorizationAdviceVoter in pretty much the same way as is
done in Spring Security.
- this custom invoker will be invoked for every resource *and* sub-resource.

Thanks in advance for any feedback. Seems like I'm missing something basic
here.

[1] https://issues.apache.org/jira/browse/CXF-2709
[2]
http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
[3]
http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security/

Re: looking for JAX-R sub-resource with PreAuthorize example

Posted by Sergey Beryozkin <sb...@gmail.com>.

Sure - please create a patch

Thanks, Sergey
On 17/03/15 04:20, Mark Ford wrote:
> You're correct in that it'll work with the lookup-method or the
> ApplicationContextAware approach [1]. Neither of these two options are
> great. The ApplicationContextAware approach pollutes the source with Spring
> and the lookup-method has the air of dark magic to it. I realize the
> "proxification" is what's making the Transactional and PreAuthorize work
> but changing my services to be abstract classes and specifying a method
> name in the Spring config to override is a little unnerving.
>
> Do you think it's worth updating the exiting spring example in CXF to
> demonstrate the lookup-method? I'll get around to adding an issue and a
> patch for it if you agree.
>
> [1]
> http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#beans-factory-method-injection
>
> On Mon, Mar 16, 2015 at 5:14 PM, Sergey Beryozkin <sb...@gmail.com>
> wrote:
>
>> I vaguely recall you need to introduce a Spring lookup method property
>> pointing to a subresource locator method for SpringSecurity to proxify it...
>>
>> Cheers, Sergey
>>
>> On 16/03/15 17:57, Mark Ford wrote:
>>
>>> I'm using Spring Security with annotations. I have the following config
>>> enabled in my context:
>>>
>>> <sec:global-method-security pre-post-annotations="enabled"/>
>>>
>>> As a result, all of my JAX-RS service interfaces annotated with
>>> PreAuthorize pass through Spring Security and all is well. However, I'm
>>> not
>>> able to get the PreAuthorize annotations on my sub-resources to fire. I
>>> suspect that this is because the sub-resources are created on the fly from
>>> their parent resource and thus do not get the benefit of Spring's security
>>> proxy.
>>>
>>> CXF-2709 [1] described a very similar issue and is marked as closed but I
>>> don't see an example of how to get this to work. I followed the
>>> CustomJAXRSInvoker [2] example and effectively recreated portions of
>>> Spring
>>> Security in my own custom invoker. While this works, it doesn't seem like
>>> the right approach. It would be great if the spring-security example [3]
>>> was updated slightly to show a security annotation on a sub-resource.
>>>
>>> My current workaround is as follows:
>>> - comment out the global-method-security element because the JAXRS Invoker
>>> is going to be doing this work for resource and sub-resources
>>> - configure a custom subclass of JAXRSInvoker as the jaxrs:invoker for the
>>> container
>>> - have the invoker delegate to an instance of a
>>> PreInvocationAuthorizationAdviceVoter in pretty much the same way as is
>>> done in Spring Security.
>>> - this custom invoker will be invoked for every resource *and*
>>> sub-resource.
>>>
>>> Thanks in advance for any feedback. Seems like I'm missing something basic
>>> here.
>>>
>>>
>>> [1] https://issues.apache.org/jira/browse/CXF-2709
>>> [2]
>>> http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/
>>> src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
>>> [3]
>>> http://svn.apache.org/repos/asf/cxf/trunk/distribution/
>>> src/main/release/samples/jax_rs/spring_security/
>>>
>>>
>>
>> --
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>

Re: looking for JAX-R sub-resource with PreAuthorize example

Posted by Mark Ford <ma...@massfords.com>.

You're correct in that it'll work with the lookup-method or the
ApplicationContextAware approach [1]. Neither of these two options are
great. The ApplicationContextAware approach pollutes the source with Spring
and the lookup-method has the air of dark magic to it. I realize the
"proxification" is what's making the Transactional and PreAuthorize work
but changing my services to be abstract classes and specifying a method
name in the Spring config to override is a little unnerving.

Do you think it's worth updating the exiting spring example in CXF to
demonstrate the lookup-method? I'll get around to adding an issue and a
patch for it if you agree.

[1]
http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#beans-factory-method-injection

On Mon, Mar 16, 2015 at 5:14 PM, Sergey Beryozkin <sb...@gmail.com>
wrote:

> I vaguely recall you need to introduce a Spring lookup method property
> pointing to a subresource locator method for SpringSecurity to proxify it...
>
> Cheers, Sergey
>
> On 16/03/15 17:57, Mark Ford wrote:
>
>> I'm using Spring Security with annotations. I have the following config
>> enabled in my context:
>>
>> <sec:global-method-security pre-post-annotations="enabled"/>
>>
>> As a result, all of my JAX-RS service interfaces annotated with
>> PreAuthorize pass through Spring Security and all is well. However, I'm
>> not
>> able to get the PreAuthorize annotations on my sub-resources to fire. I
>> suspect that this is because the sub-resources are created on the fly from
>> their parent resource and thus do not get the benefit of Spring's security
>> proxy.
>>
>> CXF-2709 [1] described a very similar issue and is marked as closed but I
>> don't see an example of how to get this to work. I followed the
>> CustomJAXRSInvoker [2] example and effectively recreated portions of
>> Spring
>> Security in my own custom invoker. While this works, it doesn't seem like
>> the right approach. It would be great if the spring-security example [3]
>> was updated slightly to show a security annotation on a sub-resource.
>>
>> My current workaround is as follows:
>> - comment out the global-method-security element because the JAXRS Invoker
>> is going to be doing this work for resource and sub-resources
>> - configure a custom subclass of JAXRSInvoker as the jaxrs:invoker for the
>> container
>> - have the invoker delegate to an instance of a
>> PreInvocationAuthorizationAdviceVoter in pretty much the same way as is
>> done in Spring Security.
>> - this custom invoker will be invoked for every resource *and*
>> sub-resource.
>>
>> Thanks in advance for any feedback. Seems like I'm missing something basic
>> here.
>>
>>
>> [1] https://issues.apache.org/jira/browse/CXF-2709
>> [2]
>> http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/
>> src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
>> [3]
>> http://svn.apache.org/repos/asf/cxf/trunk/distribution/
>> src/main/release/samples/jax_rs/spring_security/
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>

Re: looking for JAX-R sub-resource with PreAuthorize example

Posted by Sergey Beryozkin <sb...@gmail.com>.

I vaguely recall you need to introduce a Spring lookup method property 
pointing to a subresource locator method for SpringSecurity to proxify it...

Cheers, Sergey
On 16/03/15 17:57, Mark Ford wrote:
> I'm using Spring Security with annotations. I have the following config
> enabled in my context:
>
> <sec:global-method-security pre-post-annotations="enabled"/>
>
> As a result, all of my JAX-RS service interfaces annotated with
> PreAuthorize pass through Spring Security and all is well. However, I'm not
> able to get the PreAuthorize annotations on my sub-resources to fire. I
> suspect that this is because the sub-resources are created on the fly from
> their parent resource and thus do not get the benefit of Spring's security
> proxy.
>
> CXF-2709 [1] described a very similar issue and is marked as closed but I
> don't see an example of how to get this to work. I followed the
> CustomJAXRSInvoker [2] example and effectively recreated portions of Spring
> Security in my own custom invoker. While this works, it doesn't seem like
> the right approach. It would be great if the spring-security example [3]
> was updated slightly to show a security annotation on a sub-resource.
>
> My current workaround is as follows:
> - comment out the global-method-security element because the JAXRS Invoker
> is going to be doing this work for resource and sub-resources
> - configure a custom subclass of JAXRSInvoker as the jaxrs:invoker for the
> container
> - have the invoker delegate to an instance of a
> PreInvocationAuthorizationAdviceVoter in pretty much the same way as is
> done in Spring Security.
> - this custom invoker will be invoked for every resource *and* sub-resource.
>
> Thanks in advance for any feedback. Seems like I'm missing something basic
> here.
>
>
> [1] https://issues.apache.org/jira/browse/CXF-2709
> [2]
> http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
> [3]
> http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security/
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com