You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by Alex Soto <as...@gmail.com> on 2014/11/11 15:56:55 UTC
TomEE2 JAXRS Security Context
Hi,
I am developing an application with JAXRS 2.0, and for this reason
currently I am using TomEE2. I need to implement my own SecurityContext
based on JWT. I need to implement on my own because currently I cannot rely
on any CXF class because I don't know the final application server yet. But
anyway, the problem is that I don't know but it just don't works. Let me
post a simple example.
@Provider
public class JWTRequestFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext request) throws IOException {
String token = request.getHeaderString("x-access-token");
try {
String username = getUsernameFromToken(token);
final User user = getUserByName(username);
request.setSecurityContext(new SecurityContext() {
@Override
public boolean isUserInRole(String role) {
return user.isUserInRole(role);
}
@Override
public boolean isSecure() {
return false;
}
@Override
public Principal getUserPrincipal() {
return user;
}
@Override
public String getAuthenticationScheme() {
return SecurityContext.BASIC_AUTH;
}
});
} catch (ParseException | JOSEException e) {
e.printStackTrace();
}
}
}
And the endpoint:
@Path("/book")
@PermitAll
public class BookResource {
@GET
@Produces(MediaType.TEXT_PLAIN)
@RolesAllowed("admin")
public String book() {
return "book";
}
@GET
@Path("article")
@Produces(MediaType.TEXT_PLAIN)
@RolesAllowed("superadmin")
public String article() {
return "article";
}
}
I have added two debug breakpoints, the firstone just before registering
the new SecurityContext, and the second one inside SecurityContext in
method isUserInRole.
The problem is that the first breakpoint is executed but not the second
one, so the SecurityContext I have implemented is not called and of course
the endpoints are accessible for any user.
What am I missing?
--
+----------------------------------------------------------+
Alex Soto Bueno
www.lordofthejars.com
+----------------------------------------------------------+
Re: TomEE2 JAXRS Security Context
Posted by Alex Soto <as...@gmail.com>.
that's awesome thank you so much,
2014-11-12 11:45 GMT+01:00 hwaastad <he...@waastad.org>:
> You might also do it like this:
>
> http://www.aschua.de/blog/pairing-angularjs-and-javaee-for-authentication/
>
> br hw
>
>
>
> --
> View this message in context:
> http://tomee-openejb.979440.n4.nabble.com/TomEE2-JAXRS-Security-Context-tp4672828p4672851.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
>
--
+----------------------------------------------------------+
Alex Soto Bueno - Computer Engineer
www.lordofthejars.com
+----------------------------------------------------------+
Re: TomEE2 JAXRS Security Context
Posted by hwaastad <he...@waastad.org>.
You might also do it like this:
http://www.aschua.de/blog/pairing-angularjs-and-javaee-for-authentication/
br hw
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/TomEE2-JAXRS-Security-Context-tp4672828p4672851.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: TomEE2 JAXRS Security Context
Posted by Romain Manni-Bucau <rm...@gmail.com>.
I guess it is part of JavaEE 8 scope (making EJB services available to
CDI beans) but it is not yet finalized.
Romain Manni-Bucau
@rmannibucau
http://www.tomitribe.com
http://rmannibucau.wordpress.com
https://github.com/rmannibucau
2014-11-12 10:32 GMT+01:00 Alex Soto <as...@gmail.com>:
> hehehe yeah currently I am implementing the second one. Basically I want to
> implement a portable solution, the good news is that I can implement this
> logic, add it in some kind of jaxrs-common project in company repo and
> that's all everybody needs to import it to use security.
>
> Maybe this should be something to be faced in next versions of JAXRS. I
> mean if CDI implements now @Transactional, ... why not JAXRS as well.
> Probably there is a reason but I am sure it is something than a lot of
> people have found it.
>
> 2014-11-12 10:27 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
>
>> Oh I forgot. So yes you are on your own excepted if you use an EJB ;).
>>
>> Then you have 2 solutions for the impl:
>> - cdi interceptor with SecurityContext injected
>> - JAXRS filter with priority AUTHORIZATION
>>
>> Second one will be called before first one but not sure it is a big deal
>>
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau
>> http://www.tomitribe.com
>> http://rmannibucau.wordpress.com
>> https://github.com/rmannibucau
>>
>>
>> 2014-11-12 10:19 GMT+01:00 Alex Soto <as...@gmail.com>:
>> > I cannot relay on cxf :(
>> >
>> > 2014-11-12 10:15 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
>> >
>> >> Don't loose too much time on it ;)
>> >> org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor
>> >>
>> >>
>> >> Romain Manni-Bucau
>> >> @rmannibucau
>> >> http://www.tomitribe.com
>> >> http://rmannibucau.wordpress.com
>> >> https://github.com/rmannibucau
>> >>
>> >>
>> >> 2014-11-12 10:11 GMT+01:00 Alex Soto <as...@gmail.com>:
>> >> > :( I thought that this standard annotation could be used in standalone
>> >> > JAXRS endpoint. Well then I will need to do some kind of interceptor.
>> >> >
>> >> > 2014-11-12 10:06 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com
>> >:
>> >> >
>> >> >> Well, in your sample @RolesAllowed is ignored since that's not an
>> EJB.
>> >> >>
>> >> >>
>> >> >> Romain Manni-Bucau
>> >> >> @rmannibucau
>> >> >> http://www.tomitribe.com
>> >> >> http://rmannibucau.wordpress.com
>> >> >> https://github.com/rmannibucau
>> >> >>
>> >> >>
>> >> >> 2014-11-12 9:57 GMT+01:00 Alex Soto <as...@gmail.com>:
>> >> >> > Hi,
>> >> >> >
>> >> >> > Yes that example works but if I do something like
>> >> >> >
>> >> >> > @Path("sc")
>> >> >> > public static class Res {
>> >> >> > @Context
>> >> >> > private SecurityContext sc;
>> >> >> >
>> >> >> > @GET
>> >> >> > @RolesAllowed("therole")
>> >> >> > public boolean f() {
>> >> >> > return sc.isUserInRole("therole");
>> >> >> > }
>> >> >> > }
>> >> >> >
>> >> >> > Note that in theory when the role is another the f() method should
>> >> not be
>> >> >> > executed, but the reality is that is executed as well. So it seems
>> >> that
>> >> >> > with a custom security context you cannot relay on declarative mode
>> >> using
>> >> >> > annotations.
>> >> >> >
>> >> >> > 2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau <
>> rmannibucau@gmail.com
>> >> >:
>> >> >> >
>> >> >> >> Hi
>> >> >> >>
>> >> >> >> what's the difference with
>> >> >> >>
>> >> >> >>
>> >> >>
>> >>
>> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c
>> >> >> >> ?
>> >> >> >>
>> >> >> >>
>> >> >> >> Romain Manni-Bucau
>> >> >> >> @rmannibucau
>> >> >> >> http://www.tomitribe.com
>> >> >> >> http://rmannibucau.wordpress.com
>> >> >> >> https://github.com/rmannibucau
>> >> >> >>
>> >> >> >>
>> >> >> >> 2014-11-11 15:56 GMT+01:00 Alex Soto <as...@gmail.com>:
>> >> >> >> > Hi,
>> >> >> >> >
>> >> >> >> > I am developing an application with JAXRS 2.0, and for this
>> reason
>> >> >> >> > currently I am using TomEE2. I need to implement my own
>> >> >> SecurityContext
>> >> >> >> > based on JWT. I need to implement on my own because currently I
>> >> cannot
>> >> >> >> rely
>> >> >> >> > on any CXF class because I don't know the final application
>> server
>> >> >> yet.
>> >> >> >> But
>> >> >> >> > anyway, the problem is that I don't know but it just don't
>> works.
>> >> Let
>> >> >> me
>> >> >> >> > post a simple example.
>> >> >> >> >
>> >> >> >> > @Provider
>> >> >> >> > public class JWTRequestFilter implements ContainerRequestFilter
>> {
>> >> >> >> >
>> >> >> >> > @Override
>> >> >> >> > public void filter(ContainerRequestContext request) throws
>> >> >> IOException {
>> >> >> >> > String token = request.getHeaderString("x-access-token");
>> >> >> >> > try {
>> >> >> >> > String username = getUsernameFromToken(token);
>> >> >> >> > final User user = getUserByName(username);
>> >> >> >> > request.setSecurityContext(new SecurityContext() {
>> >> >> >> > @Override
>> >> >> >> > public boolean isUserInRole(String role) {
>> >> >> >> > return user.isUserInRole(role);
>> >> >> >> > }
>> >> >> >> > @Override
>> >> >> >> > public boolean isSecure() {
>> >> >> >> > return false;
>> >> >> >> > }
>> >> >> >> > @Override
>> >> >> >> > public Principal getUserPrincipal() {
>> >> >> >> > return user;
>> >> >> >> > }
>> >> >> >> > @Override
>> >> >> >> > public String getAuthenticationScheme() {
>> >> >> >> > return SecurityContext.BASIC_AUTH;
>> >> >> >> > }
>> >> >> >> > });
>> >> >> >> > } catch (ParseException | JOSEException e) {
>> >> >> >> > e.printStackTrace();
>> >> >> >> > }
>> >> >> >> > }
>> >> >> >> > }
>> >> >> >> >
>> >> >> >> > And the endpoint:
>> >> >> >> >
>> >> >> >> > @Path("/book")
>> >> >> >> > @PermitAll
>> >> >> >> > public class BookResource {
>> >> >> >> >
>> >> >> >> > @GET
>> >> >> >> > @Produces(MediaType.TEXT_PLAIN)
>> >> >> >> > @RolesAllowed("admin")
>> >> >> >> > public String book() {
>> >> >> >> > return "book";
>> >> >> >> > }
>> >> >> >> > @GET
>> >> >> >> > @Path("article")
>> >> >> >> > @Produces(MediaType.TEXT_PLAIN)
>> >> >> >> > @RolesAllowed("superadmin")
>> >> >> >> > public String article() {
>> >> >> >> > return "article";
>> >> >> >> > }
>> >> >> >> > }
>> >> >> >> >
>> >> >> >> > I have added two debug breakpoints, the firstone just before
>> >> >> registering
>> >> >> >> > the new SecurityContext, and the second one inside
>> SecurityContext
>> >> in
>> >> >> >> > method isUserInRole.
>> >> >> >> >
>> >> >> >> > The problem is that the first breakpoint is executed but not the
>> >> >> second
>> >> >> >> > one, so the SecurityContext I have implemented is not called
>> and of
>> >> >> >> course
>> >> >> >> > the endpoints are accessible for any user.
>> >> >> >> >
>> >> >> >> > What am I missing?
>> >> >> >> >
>> >> >> >> > --
>> >> >> >> > +----------------------------------------------------------+
>> >> >> >> > Alex Soto Bueno
>> >> >> >> > www.lordofthejars.com
>> >> >> >> > +----------------------------------------------------------+
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > +----------------------------------------------------------+
>> >> >> > Alex Soto Bueno - Computer Engineer
>> >> >> > www.lordofthejars.com
>> >> >> > +----------------------------------------------------------+
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > +----------------------------------------------------------+
>> >> > Alex Soto Bueno - Computer Engineer
>> >> > www.lordofthejars.com
>> >> > +----------------------------------------------------------+
>> >>
>> >
>> >
>> >
>> > --
>> > +----------------------------------------------------------+
>> > Alex Soto Bueno - Computer Engineer
>> > www.lordofthejars.com
>> > +----------------------------------------------------------+
>>
>
>
>
> --
> +----------------------------------------------------------+
> Alex Soto Bueno - Computer Engineer
> www.lordofthejars.com
> +----------------------------------------------------------+
Re: TomEE2 JAXRS Security Context
Posted by Alex Soto <as...@gmail.com>.
hehehe yeah currently I am implementing the second one. Basically I want to
implement a portable solution, the good news is that I can implement this
logic, add it in some kind of jaxrs-common project in company repo and
that's all everybody needs to import it to use security.
Maybe this should be something to be faced in next versions of JAXRS. I
mean if CDI implements now @Transactional, ... why not JAXRS as well.
Probably there is a reason but I am sure it is something than a lot of
people have found it.
2014-11-12 10:27 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> Oh I forgot. So yes you are on your own excepted if you use an EJB ;).
>
> Then you have 2 solutions for the impl:
> - cdi interceptor with SecurityContext injected
> - JAXRS filter with priority AUTHORIZATION
>
> Second one will be called before first one but not sure it is a big deal
>
>
>
> Romain Manni-Bucau
> @rmannibucau
> http://www.tomitribe.com
> http://rmannibucau.wordpress.com
> https://github.com/rmannibucau
>
>
> 2014-11-12 10:19 GMT+01:00 Alex Soto <as...@gmail.com>:
> > I cannot relay on cxf :(
> >
> > 2014-11-12 10:15 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> >
> >> Don't loose too much time on it ;)
> >> org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor
> >>
> >>
> >> Romain Manni-Bucau
> >> @rmannibucau
> >> http://www.tomitribe.com
> >> http://rmannibucau.wordpress.com
> >> https://github.com/rmannibucau
> >>
> >>
> >> 2014-11-12 10:11 GMT+01:00 Alex Soto <as...@gmail.com>:
> >> > :( I thought that this standard annotation could be used in standalone
> >> > JAXRS endpoint. Well then I will need to do some kind of interceptor.
> >> >
> >> > 2014-11-12 10:06 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com
> >:
> >> >
> >> >> Well, in your sample @RolesAllowed is ignored since that's not an
> EJB.
> >> >>
> >> >>
> >> >> Romain Manni-Bucau
> >> >> @rmannibucau
> >> >> http://www.tomitribe.com
> >> >> http://rmannibucau.wordpress.com
> >> >> https://github.com/rmannibucau
> >> >>
> >> >>
> >> >> 2014-11-12 9:57 GMT+01:00 Alex Soto <as...@gmail.com>:
> >> >> > Hi,
> >> >> >
> >> >> > Yes that example works but if I do something like
> >> >> >
> >> >> > @Path("sc")
> >> >> > public static class Res {
> >> >> > @Context
> >> >> > private SecurityContext sc;
> >> >> >
> >> >> > @GET
> >> >> > @RolesAllowed("therole")
> >> >> > public boolean f() {
> >> >> > return sc.isUserInRole("therole");
> >> >> > }
> >> >> > }
> >> >> >
> >> >> > Note that in theory when the role is another the f() method should
> >> not be
> >> >> > executed, but the reality is that is executed as well. So it seems
> >> that
> >> >> > with a custom security context you cannot relay on declarative mode
> >> using
> >> >> > annotations.
> >> >> >
> >> >> > 2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau <
> rmannibucau@gmail.com
> >> >:
> >> >> >
> >> >> >> Hi
> >> >> >>
> >> >> >> what's the difference with
> >> >> >>
> >> >> >>
> >> >>
> >>
> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c
> >> >> >> ?
> >> >> >>
> >> >> >>
> >> >> >> Romain Manni-Bucau
> >> >> >> @rmannibucau
> >> >> >> http://www.tomitribe.com
> >> >> >> http://rmannibucau.wordpress.com
> >> >> >> https://github.com/rmannibucau
> >> >> >>
> >> >> >>
> >> >> >> 2014-11-11 15:56 GMT+01:00 Alex Soto <as...@gmail.com>:
> >> >> >> > Hi,
> >> >> >> >
> >> >> >> > I am developing an application with JAXRS 2.0, and for this
> reason
> >> >> >> > currently I am using TomEE2. I need to implement my own
> >> >> SecurityContext
> >> >> >> > based on JWT. I need to implement on my own because currently I
> >> cannot
> >> >> >> rely
> >> >> >> > on any CXF class because I don't know the final application
> server
> >> >> yet.
> >> >> >> But
> >> >> >> > anyway, the problem is that I don't know but it just don't
> works.
> >> Let
> >> >> me
> >> >> >> > post a simple example.
> >> >> >> >
> >> >> >> > @Provider
> >> >> >> > public class JWTRequestFilter implements ContainerRequestFilter
> {
> >> >> >> >
> >> >> >> > @Override
> >> >> >> > public void filter(ContainerRequestContext request) throws
> >> >> IOException {
> >> >> >> > String token = request.getHeaderString("x-access-token");
> >> >> >> > try {
> >> >> >> > String username = getUsernameFromToken(token);
> >> >> >> > final User user = getUserByName(username);
> >> >> >> > request.setSecurityContext(new SecurityContext() {
> >> >> >> > @Override
> >> >> >> > public boolean isUserInRole(String role) {
> >> >> >> > return user.isUserInRole(role);
> >> >> >> > }
> >> >> >> > @Override
> >> >> >> > public boolean isSecure() {
> >> >> >> > return false;
> >> >> >> > }
> >> >> >> > @Override
> >> >> >> > public Principal getUserPrincipal() {
> >> >> >> > return user;
> >> >> >> > }
> >> >> >> > @Override
> >> >> >> > public String getAuthenticationScheme() {
> >> >> >> > return SecurityContext.BASIC_AUTH;
> >> >> >> > }
> >> >> >> > });
> >> >> >> > } catch (ParseException | JOSEException e) {
> >> >> >> > e.printStackTrace();
> >> >> >> > }
> >> >> >> > }
> >> >> >> > }
> >> >> >> >
> >> >> >> > And the endpoint:
> >> >> >> >
> >> >> >> > @Path("/book")
> >> >> >> > @PermitAll
> >> >> >> > public class BookResource {
> >> >> >> >
> >> >> >> > @GET
> >> >> >> > @Produces(MediaType.TEXT_PLAIN)
> >> >> >> > @RolesAllowed("admin")
> >> >> >> > public String book() {
> >> >> >> > return "book";
> >> >> >> > }
> >> >> >> > @GET
> >> >> >> > @Path("article")
> >> >> >> > @Produces(MediaType.TEXT_PLAIN)
> >> >> >> > @RolesAllowed("superadmin")
> >> >> >> > public String article() {
> >> >> >> > return "article";
> >> >> >> > }
> >> >> >> > }
> >> >> >> >
> >> >> >> > I have added two debug breakpoints, the firstone just before
> >> >> registering
> >> >> >> > the new SecurityContext, and the second one inside
> SecurityContext
> >> in
> >> >> >> > method isUserInRole.
> >> >> >> >
> >> >> >> > The problem is that the first breakpoint is executed but not the
> >> >> second
> >> >> >> > one, so the SecurityContext I have implemented is not called
> and of
> >> >> >> course
> >> >> >> > the endpoints are accessible for any user.
> >> >> >> >
> >> >> >> > What am I missing?
> >> >> >> >
> >> >> >> > --
> >> >> >> > +----------------------------------------------------------+
> >> >> >> > Alex Soto Bueno
> >> >> >> > www.lordofthejars.com
> >> >> >> > +----------------------------------------------------------+
> >> >> >>
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > +----------------------------------------------------------+
> >> >> > Alex Soto Bueno - Computer Engineer
> >> >> > www.lordofthejars.com
> >> >> > +----------------------------------------------------------+
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > +----------------------------------------------------------+
> >> > Alex Soto Bueno - Computer Engineer
> >> > www.lordofthejars.com
> >> > +----------------------------------------------------------+
> >>
> >
> >
> >
> > --
> > +----------------------------------------------------------+
> > Alex Soto Bueno - Computer Engineer
> > www.lordofthejars.com
> > +----------------------------------------------------------+
>
--
+----------------------------------------------------------+
Alex Soto Bueno - Computer Engineer
www.lordofthejars.com
+----------------------------------------------------------+
Re: TomEE2 JAXRS Security Context
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Oh I forgot. So yes you are on your own excepted if you use an EJB ;).
Then you have 2 solutions for the impl:
- cdi interceptor with SecurityContext injected
- JAXRS filter with priority AUTHORIZATION
Second one will be called before first one but not sure it is a big deal
Romain Manni-Bucau
@rmannibucau
http://www.tomitribe.com
http://rmannibucau.wordpress.com
https://github.com/rmannibucau
2014-11-12 10:19 GMT+01:00 Alex Soto <as...@gmail.com>:
> I cannot relay on cxf :(
>
> 2014-11-12 10:15 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
>
>> Don't loose too much time on it ;)
>> org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau
>> http://www.tomitribe.com
>> http://rmannibucau.wordpress.com
>> https://github.com/rmannibucau
>>
>>
>> 2014-11-12 10:11 GMT+01:00 Alex Soto <as...@gmail.com>:
>> > :( I thought that this standard annotation could be used in standalone
>> > JAXRS endpoint. Well then I will need to do some kind of interceptor.
>> >
>> > 2014-11-12 10:06 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
>> >
>> >> Well, in your sample @RolesAllowed is ignored since that's not an EJB.
>> >>
>> >>
>> >> Romain Manni-Bucau
>> >> @rmannibucau
>> >> http://www.tomitribe.com
>> >> http://rmannibucau.wordpress.com
>> >> https://github.com/rmannibucau
>> >>
>> >>
>> >> 2014-11-12 9:57 GMT+01:00 Alex Soto <as...@gmail.com>:
>> >> > Hi,
>> >> >
>> >> > Yes that example works but if I do something like
>> >> >
>> >> > @Path("sc")
>> >> > public static class Res {
>> >> > @Context
>> >> > private SecurityContext sc;
>> >> >
>> >> > @GET
>> >> > @RolesAllowed("therole")
>> >> > public boolean f() {
>> >> > return sc.isUserInRole("therole");
>> >> > }
>> >> > }
>> >> >
>> >> > Note that in theory when the role is another the f() method should
>> not be
>> >> > executed, but the reality is that is executed as well. So it seems
>> that
>> >> > with a custom security context you cannot relay on declarative mode
>> using
>> >> > annotations.
>> >> >
>> >> > 2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com
>> >:
>> >> >
>> >> >> Hi
>> >> >>
>> >> >> what's the difference with
>> >> >>
>> >> >>
>> >>
>> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c
>> >> >> ?
>> >> >>
>> >> >>
>> >> >> Romain Manni-Bucau
>> >> >> @rmannibucau
>> >> >> http://www.tomitribe.com
>> >> >> http://rmannibucau.wordpress.com
>> >> >> https://github.com/rmannibucau
>> >> >>
>> >> >>
>> >> >> 2014-11-11 15:56 GMT+01:00 Alex Soto <as...@gmail.com>:
>> >> >> > Hi,
>> >> >> >
>> >> >> > I am developing an application with JAXRS 2.0, and for this reason
>> >> >> > currently I am using TomEE2. I need to implement my own
>> >> SecurityContext
>> >> >> > based on JWT. I need to implement on my own because currently I
>> cannot
>> >> >> rely
>> >> >> > on any CXF class because I don't know the final application server
>> >> yet.
>> >> >> But
>> >> >> > anyway, the problem is that I don't know but it just don't works.
>> Let
>> >> me
>> >> >> > post a simple example.
>> >> >> >
>> >> >> > @Provider
>> >> >> > public class JWTRequestFilter implements ContainerRequestFilter {
>> >> >> >
>> >> >> > @Override
>> >> >> > public void filter(ContainerRequestContext request) throws
>> >> IOException {
>> >> >> > String token = request.getHeaderString("x-access-token");
>> >> >> > try {
>> >> >> > String username = getUsernameFromToken(token);
>> >> >> > final User user = getUserByName(username);
>> >> >> > request.setSecurityContext(new SecurityContext() {
>> >> >> > @Override
>> >> >> > public boolean isUserInRole(String role) {
>> >> >> > return user.isUserInRole(role);
>> >> >> > }
>> >> >> > @Override
>> >> >> > public boolean isSecure() {
>> >> >> > return false;
>> >> >> > }
>> >> >> > @Override
>> >> >> > public Principal getUserPrincipal() {
>> >> >> > return user;
>> >> >> > }
>> >> >> > @Override
>> >> >> > public String getAuthenticationScheme() {
>> >> >> > return SecurityContext.BASIC_AUTH;
>> >> >> > }
>> >> >> > });
>> >> >> > } catch (ParseException | JOSEException e) {
>> >> >> > e.printStackTrace();
>> >> >> > }
>> >> >> > }
>> >> >> > }
>> >> >> >
>> >> >> > And the endpoint:
>> >> >> >
>> >> >> > @Path("/book")
>> >> >> > @PermitAll
>> >> >> > public class BookResource {
>> >> >> >
>> >> >> > @GET
>> >> >> > @Produces(MediaType.TEXT_PLAIN)
>> >> >> > @RolesAllowed("admin")
>> >> >> > public String book() {
>> >> >> > return "book";
>> >> >> > }
>> >> >> > @GET
>> >> >> > @Path("article")
>> >> >> > @Produces(MediaType.TEXT_PLAIN)
>> >> >> > @RolesAllowed("superadmin")
>> >> >> > public String article() {
>> >> >> > return "article";
>> >> >> > }
>> >> >> > }
>> >> >> >
>> >> >> > I have added two debug breakpoints, the firstone just before
>> >> registering
>> >> >> > the new SecurityContext, and the second one inside SecurityContext
>> in
>> >> >> > method isUserInRole.
>> >> >> >
>> >> >> > The problem is that the first breakpoint is executed but not the
>> >> second
>> >> >> > one, so the SecurityContext I have implemented is not called and of
>> >> >> course
>> >> >> > the endpoints are accessible for any user.
>> >> >> >
>> >> >> > What am I missing?
>> >> >> >
>> >> >> > --
>> >> >> > +----------------------------------------------------------+
>> >> >> > Alex Soto Bueno
>> >> >> > www.lordofthejars.com
>> >> >> > +----------------------------------------------------------+
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > +----------------------------------------------------------+
>> >> > Alex Soto Bueno - Computer Engineer
>> >> > www.lordofthejars.com
>> >> > +----------------------------------------------------------+
>> >>
>> >
>> >
>> >
>> > --
>> > +----------------------------------------------------------+
>> > Alex Soto Bueno - Computer Engineer
>> > www.lordofthejars.com
>> > +----------------------------------------------------------+
>>
>
>
>
> --
> +----------------------------------------------------------+
> Alex Soto Bueno - Computer Engineer
> www.lordofthejars.com
> +----------------------------------------------------------+
Re: TomEE2 JAXRS Security Context
Posted by Alex Soto <as...@gmail.com>.
I cannot relay on cxf :(
2014-11-12 10:15 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> Don't loose too much time on it ;)
> org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor
>
>
> Romain Manni-Bucau
> @rmannibucau
> http://www.tomitribe.com
> http://rmannibucau.wordpress.com
> https://github.com/rmannibucau
>
>
> 2014-11-12 10:11 GMT+01:00 Alex Soto <as...@gmail.com>:
> > :( I thought that this standard annotation could be used in standalone
> > JAXRS endpoint. Well then I will need to do some kind of interceptor.
> >
> > 2014-11-12 10:06 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> >
> >> Well, in your sample @RolesAllowed is ignored since that's not an EJB.
> >>
> >>
> >> Romain Manni-Bucau
> >> @rmannibucau
> >> http://www.tomitribe.com
> >> http://rmannibucau.wordpress.com
> >> https://github.com/rmannibucau
> >>
> >>
> >> 2014-11-12 9:57 GMT+01:00 Alex Soto <as...@gmail.com>:
> >> > Hi,
> >> >
> >> > Yes that example works but if I do something like
> >> >
> >> > @Path("sc")
> >> > public static class Res {
> >> > @Context
> >> > private SecurityContext sc;
> >> >
> >> > @GET
> >> > @RolesAllowed("therole")
> >> > public boolean f() {
> >> > return sc.isUserInRole("therole");
> >> > }
> >> > }
> >> >
> >> > Note that in theory when the role is another the f() method should
> not be
> >> > executed, but the reality is that is executed as well. So it seems
> that
> >> > with a custom security context you cannot relay on declarative mode
> using
> >> > annotations.
> >> >
> >> > 2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau <rmannibucau@gmail.com
> >:
> >> >
> >> >> Hi
> >> >>
> >> >> what's the difference with
> >> >>
> >> >>
> >>
> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c
> >> >> ?
> >> >>
> >> >>
> >> >> Romain Manni-Bucau
> >> >> @rmannibucau
> >> >> http://www.tomitribe.com
> >> >> http://rmannibucau.wordpress.com
> >> >> https://github.com/rmannibucau
> >> >>
> >> >>
> >> >> 2014-11-11 15:56 GMT+01:00 Alex Soto <as...@gmail.com>:
> >> >> > Hi,
> >> >> >
> >> >> > I am developing an application with JAXRS 2.0, and for this reason
> >> >> > currently I am using TomEE2. I need to implement my own
> >> SecurityContext
> >> >> > based on JWT. I need to implement on my own because currently I
> cannot
> >> >> rely
> >> >> > on any CXF class because I don't know the final application server
> >> yet.
> >> >> But
> >> >> > anyway, the problem is that I don't know but it just don't works.
> Let
> >> me
> >> >> > post a simple example.
> >> >> >
> >> >> > @Provider
> >> >> > public class JWTRequestFilter implements ContainerRequestFilter {
> >> >> >
> >> >> > @Override
> >> >> > public void filter(ContainerRequestContext request) throws
> >> IOException {
> >> >> > String token = request.getHeaderString("x-access-token");
> >> >> > try {
> >> >> > String username = getUsernameFromToken(token);
> >> >> > final User user = getUserByName(username);
> >> >> > request.setSecurityContext(new SecurityContext() {
> >> >> > @Override
> >> >> > public boolean isUserInRole(String role) {
> >> >> > return user.isUserInRole(role);
> >> >> > }
> >> >> > @Override
> >> >> > public boolean isSecure() {
> >> >> > return false;
> >> >> > }
> >> >> > @Override
> >> >> > public Principal getUserPrincipal() {
> >> >> > return user;
> >> >> > }
> >> >> > @Override
> >> >> > public String getAuthenticationScheme() {
> >> >> > return SecurityContext.BASIC_AUTH;
> >> >> > }
> >> >> > });
> >> >> > } catch (ParseException | JOSEException e) {
> >> >> > e.printStackTrace();
> >> >> > }
> >> >> > }
> >> >> > }
> >> >> >
> >> >> > And the endpoint:
> >> >> >
> >> >> > @Path("/book")
> >> >> > @PermitAll
> >> >> > public class BookResource {
> >> >> >
> >> >> > @GET
> >> >> > @Produces(MediaType.TEXT_PLAIN)
> >> >> > @RolesAllowed("admin")
> >> >> > public String book() {
> >> >> > return "book";
> >> >> > }
> >> >> > @GET
> >> >> > @Path("article")
> >> >> > @Produces(MediaType.TEXT_PLAIN)
> >> >> > @RolesAllowed("superadmin")
> >> >> > public String article() {
> >> >> > return "article";
> >> >> > }
> >> >> > }
> >> >> >
> >> >> > I have added two debug breakpoints, the firstone just before
> >> registering
> >> >> > the new SecurityContext, and the second one inside SecurityContext
> in
> >> >> > method isUserInRole.
> >> >> >
> >> >> > The problem is that the first breakpoint is executed but not the
> >> second
> >> >> > one, so the SecurityContext I have implemented is not called and of
> >> >> course
> >> >> > the endpoints are accessible for any user.
> >> >> >
> >> >> > What am I missing?
> >> >> >
> >> >> > --
> >> >> > +----------------------------------------------------------+
> >> >> > Alex Soto Bueno
> >> >> > www.lordofthejars.com
> >> >> > +----------------------------------------------------------+
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > +----------------------------------------------------------+
> >> > Alex Soto Bueno - Computer Engineer
> >> > www.lordofthejars.com
> >> > +----------------------------------------------------------+
> >>
> >
> >
> >
> > --
> > +----------------------------------------------------------+
> > Alex Soto Bueno - Computer Engineer
> > www.lordofthejars.com
> > +----------------------------------------------------------+
>
--
+----------------------------------------------------------+
Alex Soto Bueno - Computer Engineer
www.lordofthejars.com
+----------------------------------------------------------+
Re: TomEE2 JAXRS Security Context
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Should work for sure, anyway openejb-jar.xml is ignored cause your
application is DeviceService and not jaxrs-application
Romain Manni-Bucau
@rmannibucau
http://www.tomitribe.com
http://rmannibucau.wordpress.com
https://github.com/rmannibucau
2015-01-16 12:32 GMT+01:00 SKR <kr...@cosma-consult.de>:
> I tried:
> @InInterceptors (interceptors =
> "org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor")
> in my service.
>
> No effect. The interceptor was not loaded or invoked. I think using
> openejb-jar.xml is better. I'm using now:
>
> <openejb-jar xmlns="http://www.openejb.org/openejb-jar/1.1"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://www.openejb.org/openejb-jar/1.1">
> <pojo-deployment class-name="jaxrs-application">
> <properties>
> cxf.jaxrs.providers =
> com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider
> cxf.jaxrs.in-interceptors =
> org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor
> </properties>
> </pojo-deployment>
> </openejb-jar>
>
> here also... no effect! The interceptor gets not invoked.
>
> I noticed this problem already some days ago as I tried to add the
> org.apache.cxf.interceptor.LoggingInInterceptor to my service. This failed
> also.
>
> For any reason CXF does not load interceptors via annotations or this
> property. Is my openejb-jar.xml correct?
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.n4.nabble.com/TomEE2-JAXRS-Security-Context-tp4672828p4673411.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
Re: TomEE2 JAXRS Security Context
Posted by SKR <kr...@cosma-consult.de>.
I tried:
@InInterceptors (interceptors =
"org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor")
in my service.
No effect. The interceptor was not loaded or invoked. I think using
openejb-jar.xml is better. I'm using now:
<openejb-jar xmlns="http://www.openejb.org/openejb-jar/1.1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.openejb.org/openejb-jar/1.1">
<pojo-deployment class-name="jaxrs-application">
<properties>
cxf.jaxrs.providers =
com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider
cxf.jaxrs.in-interceptors =
org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor
</properties>
</pojo-deployment>
</openejb-jar>
here also... no effect! The interceptor gets not invoked.
I noticed this problem already some days ago as I tried to add the
org.apache.cxf.interceptor.LoggingInInterceptor to my service. This failed
also.
For any reason CXF does not load interceptors via annotations or this
property. Is my openejb-jar.xml correct?
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/TomEE2-JAXRS-Security-Context-tp4672828p4673411.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: TomEE2 JAXRS Security Context
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Just curious: what is Interceptors package? shouldn't it be
@org.apache.cxf.interceptor.InInterceptors?
you can also configure it in openejb-jar.xml through
cxf.jaxrs.in-interceptors =
org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor
Romain Manni-Bucau
@rmannibucau
http://www.tomitribe.com
http://rmannibucau.wordpress.com
https://github.com/rmannibucau
2015-01-16 11:24 GMT+01:00 SKR <kr...@cosma-consult.de>:
> Hi
>
> Sorry for intercepting here ;) but I'd like to take your thread about the
> SecureAnnotationsInterceptor.
>
> If I got it right, it should be possible to use @RolesAllowed annotation on
> a JAX-RS service method (Not Ejb!), if using CXF's
> SecureAnnotationsInterceptor. Is this correct?
>
> I prepared a small service that does not like to run because the
> SecureAnnotationsInterceptor is never called.
>
> Application Class:
> @javax.ws.rs.ApplicationPath("/test")
> @Interceptors(org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor.class)
> public class DeviceService extends Application {
>
> @Override
> public Set<Class<?>> getClasses() {
> Set<Class<?>> s = new HashSet<Class<?>>();
> s.add(MyServiceClass.class);
> return s;
> }
> }
>
> Service Class:
> import javax.annotation.security.RolesAllowed;
> import javax.ws.rs.GET;
>
> @GET
> @RolesAllowed("myRole")
> public String getTest() {
> return "TEST"
> }
>
> I deployed it on tomEE 1.7.1-plus.
>
> In fact everyone can invoke the service. The SecureAnnotationsInterceptor
> class gets not even loaded!
>
> I tried to follow the CXF reference on
> http://cxf.apache.org/docs/secure-jax-rs-services.html.
> Instead of
> @Interceptors(org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor.class)
> I tried to register the Interceptor in a cxf-servlet.xml file, that I placed
> directly in WEB-INF/.
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxrs="http://cxf.apache.org/jaxrs"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd">
>
> <bean id="secureBean" class="MyServiceClass"/>
>
> <bean id="authorizationInterceptor"
>
> class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
> <property name="securedObject" ref="secureBean"/>
> </bean>
>
> <jaxrs:server address="/test">
> <jaxrs:providers>
> <ref bean="authorizationInterceptor" />
> </jaxrs:providers>
> </jaxrs:server>
>
> </beans>
>
> The result is the same. The interceptor class gets not even loaded :(
>
> I tried to follow you advice not losing too much time on it ;) I failed.
> Do you have some suggestions?
>
> Thanks!
>
>
>
>
> --
> View this message in context: http://tomee-openejb.979440.n4.nabble.com/TomEE2-JAXRS-Security-Context-tp4672828p4673407.html
> Sent from the TomEE Users mailing list archive at Nabble.com.
Re: TomEE2 JAXRS Security Context
Posted by SKR <kr...@cosma-consult.de>.
Hi
Sorry for intercepting here ;) but I'd like to take your thread about the
SecureAnnotationsInterceptor.
If I got it right, it should be possible to use @RolesAllowed annotation on
a JAX-RS service method (Not Ejb!), if using CXF's
SecureAnnotationsInterceptor. Is this correct?
I prepared a small service that does not like to run because the
SecureAnnotationsInterceptor is never called.
Application Class:
@javax.ws.rs.ApplicationPath("/test")
@Interceptors(org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor.class)
public class DeviceService extends Application {
@Override
public Set<Class<?>> getClasses() {
Set<Class<?>> s = new HashSet<Class<?>>();
s.add(MyServiceClass.class);
return s;
}
}
Service Class:
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.GET;
@GET
@RolesAllowed("myRole")
public String getTest() {
return "TEST"
}
I deployed it on tomEE 1.7.1-plus.
In fact everyone can invoke the service. The SecureAnnotationsInterceptor
class gets not even loaded!
I tried to follow the CXF reference on
http://cxf.apache.org/docs/secure-jax-rs-services.html.
Instead of
@Interceptors(org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor.class)
I tried to register the Interceptor in a cxf-servlet.xml file, that I placed
directly in WEB-INF/.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxrs="http://cxf.apache.org/jaxrs"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd">
<bean id="secureBean" class="MyServiceClass"/>
<bean id="authorizationInterceptor"
class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="secureBean"/>
</bean>
<jaxrs:server address="/test">
<jaxrs:providers>
<ref bean="authorizationInterceptor" />
</jaxrs:providers>
</jaxrs:server>
</beans>
The result is the same. The interceptor class gets not even loaded :(
I tried to follow you advice not losing too much time on it ;) I failed.
Do you have some suggestions?
Thanks!
--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/TomEE2-JAXRS-Security-Context-tp4672828p4673407.html
Sent from the TomEE Users mailing list archive at Nabble.com.
Re: TomEE2 JAXRS Security Context
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Don't loose too much time on it ;)
org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor
Romain Manni-Bucau
@rmannibucau
http://www.tomitribe.com
http://rmannibucau.wordpress.com
https://github.com/rmannibucau
2014-11-12 10:11 GMT+01:00 Alex Soto <as...@gmail.com>:
> :( I thought that this standard annotation could be used in standalone
> JAXRS endpoint. Well then I will need to do some kind of interceptor.
>
> 2014-11-12 10:06 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
>
>> Well, in your sample @RolesAllowed is ignored since that's not an EJB.
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau
>> http://www.tomitribe.com
>> http://rmannibucau.wordpress.com
>> https://github.com/rmannibucau
>>
>>
>> 2014-11-12 9:57 GMT+01:00 Alex Soto <as...@gmail.com>:
>> > Hi,
>> >
>> > Yes that example works but if I do something like
>> >
>> > @Path("sc")
>> > public static class Res {
>> > @Context
>> > private SecurityContext sc;
>> >
>> > @GET
>> > @RolesAllowed("therole")
>> > public boolean f() {
>> > return sc.isUserInRole("therole");
>> > }
>> > }
>> >
>> > Note that in theory when the role is another the f() method should not be
>> > executed, but the reality is that is executed as well. So it seems that
>> > with a custom security context you cannot relay on declarative mode using
>> > annotations.
>> >
>> > 2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
>> >
>> >> Hi
>> >>
>> >> what's the difference with
>> >>
>> >>
>> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c
>> >> ?
>> >>
>> >>
>> >> Romain Manni-Bucau
>> >> @rmannibucau
>> >> http://www.tomitribe.com
>> >> http://rmannibucau.wordpress.com
>> >> https://github.com/rmannibucau
>> >>
>> >>
>> >> 2014-11-11 15:56 GMT+01:00 Alex Soto <as...@gmail.com>:
>> >> > Hi,
>> >> >
>> >> > I am developing an application with JAXRS 2.0, and for this reason
>> >> > currently I am using TomEE2. I need to implement my own
>> SecurityContext
>> >> > based on JWT. I need to implement on my own because currently I cannot
>> >> rely
>> >> > on any CXF class because I don't know the final application server
>> yet.
>> >> But
>> >> > anyway, the problem is that I don't know but it just don't works. Let
>> me
>> >> > post a simple example.
>> >> >
>> >> > @Provider
>> >> > public class JWTRequestFilter implements ContainerRequestFilter {
>> >> >
>> >> > @Override
>> >> > public void filter(ContainerRequestContext request) throws
>> IOException {
>> >> > String token = request.getHeaderString("x-access-token");
>> >> > try {
>> >> > String username = getUsernameFromToken(token);
>> >> > final User user = getUserByName(username);
>> >> > request.setSecurityContext(new SecurityContext() {
>> >> > @Override
>> >> > public boolean isUserInRole(String role) {
>> >> > return user.isUserInRole(role);
>> >> > }
>> >> > @Override
>> >> > public boolean isSecure() {
>> >> > return false;
>> >> > }
>> >> > @Override
>> >> > public Principal getUserPrincipal() {
>> >> > return user;
>> >> > }
>> >> > @Override
>> >> > public String getAuthenticationScheme() {
>> >> > return SecurityContext.BASIC_AUTH;
>> >> > }
>> >> > });
>> >> > } catch (ParseException | JOSEException e) {
>> >> > e.printStackTrace();
>> >> > }
>> >> > }
>> >> > }
>> >> >
>> >> > And the endpoint:
>> >> >
>> >> > @Path("/book")
>> >> > @PermitAll
>> >> > public class BookResource {
>> >> >
>> >> > @GET
>> >> > @Produces(MediaType.TEXT_PLAIN)
>> >> > @RolesAllowed("admin")
>> >> > public String book() {
>> >> > return "book";
>> >> > }
>> >> > @GET
>> >> > @Path("article")
>> >> > @Produces(MediaType.TEXT_PLAIN)
>> >> > @RolesAllowed("superadmin")
>> >> > public String article() {
>> >> > return "article";
>> >> > }
>> >> > }
>> >> >
>> >> > I have added two debug breakpoints, the firstone just before
>> registering
>> >> > the new SecurityContext, and the second one inside SecurityContext in
>> >> > method isUserInRole.
>> >> >
>> >> > The problem is that the first breakpoint is executed but not the
>> second
>> >> > one, so the SecurityContext I have implemented is not called and of
>> >> course
>> >> > the endpoints are accessible for any user.
>> >> >
>> >> > What am I missing?
>> >> >
>> >> > --
>> >> > +----------------------------------------------------------+
>> >> > Alex Soto Bueno
>> >> > www.lordofthejars.com
>> >> > +----------------------------------------------------------+
>> >>
>> >
>> >
>> >
>> > --
>> > +----------------------------------------------------------+
>> > Alex Soto Bueno - Computer Engineer
>> > www.lordofthejars.com
>> > +----------------------------------------------------------+
>>
>
>
>
> --
> +----------------------------------------------------------+
> Alex Soto Bueno - Computer Engineer
> www.lordofthejars.com
> +----------------------------------------------------------+
Re: TomEE2 JAXRS Security Context
Posted by Alex Soto <as...@gmail.com>.
:( I thought that this standard annotation could be used in standalone
JAXRS endpoint. Well then I will need to do some kind of interceptor.
2014-11-12 10:06 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> Well, in your sample @RolesAllowed is ignored since that's not an EJB.
>
>
> Romain Manni-Bucau
> @rmannibucau
> http://www.tomitribe.com
> http://rmannibucau.wordpress.com
> https://github.com/rmannibucau
>
>
> 2014-11-12 9:57 GMT+01:00 Alex Soto <as...@gmail.com>:
> > Hi,
> >
> > Yes that example works but if I do something like
> >
> > @Path("sc")
> > public static class Res {
> > @Context
> > private SecurityContext sc;
> >
> > @GET
> > @RolesAllowed("therole")
> > public boolean f() {
> > return sc.isUserInRole("therole");
> > }
> > }
> >
> > Note that in theory when the role is another the f() method should not be
> > executed, but the reality is that is executed as well. So it seems that
> > with a custom security context you cannot relay on declarative mode using
> > annotations.
> >
> > 2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> >
> >> Hi
> >>
> >> what's the difference with
> >>
> >>
> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c
> >> ?
> >>
> >>
> >> Romain Manni-Bucau
> >> @rmannibucau
> >> http://www.tomitribe.com
> >> http://rmannibucau.wordpress.com
> >> https://github.com/rmannibucau
> >>
> >>
> >> 2014-11-11 15:56 GMT+01:00 Alex Soto <as...@gmail.com>:
> >> > Hi,
> >> >
> >> > I am developing an application with JAXRS 2.0, and for this reason
> >> > currently I am using TomEE2. I need to implement my own
> SecurityContext
> >> > based on JWT. I need to implement on my own because currently I cannot
> >> rely
> >> > on any CXF class because I don't know the final application server
> yet.
> >> But
> >> > anyway, the problem is that I don't know but it just don't works. Let
> me
> >> > post a simple example.
> >> >
> >> > @Provider
> >> > public class JWTRequestFilter implements ContainerRequestFilter {
> >> >
> >> > @Override
> >> > public void filter(ContainerRequestContext request) throws
> IOException {
> >> > String token = request.getHeaderString("x-access-token");
> >> > try {
> >> > String username = getUsernameFromToken(token);
> >> > final User user = getUserByName(username);
> >> > request.setSecurityContext(new SecurityContext() {
> >> > @Override
> >> > public boolean isUserInRole(String role) {
> >> > return user.isUserInRole(role);
> >> > }
> >> > @Override
> >> > public boolean isSecure() {
> >> > return false;
> >> > }
> >> > @Override
> >> > public Principal getUserPrincipal() {
> >> > return user;
> >> > }
> >> > @Override
> >> > public String getAuthenticationScheme() {
> >> > return SecurityContext.BASIC_AUTH;
> >> > }
> >> > });
> >> > } catch (ParseException | JOSEException e) {
> >> > e.printStackTrace();
> >> > }
> >> > }
> >> > }
> >> >
> >> > And the endpoint:
> >> >
> >> > @Path("/book")
> >> > @PermitAll
> >> > public class BookResource {
> >> >
> >> > @GET
> >> > @Produces(MediaType.TEXT_PLAIN)
> >> > @RolesAllowed("admin")
> >> > public String book() {
> >> > return "book";
> >> > }
> >> > @GET
> >> > @Path("article")
> >> > @Produces(MediaType.TEXT_PLAIN)
> >> > @RolesAllowed("superadmin")
> >> > public String article() {
> >> > return "article";
> >> > }
> >> > }
> >> >
> >> > I have added two debug breakpoints, the firstone just before
> registering
> >> > the new SecurityContext, and the second one inside SecurityContext in
> >> > method isUserInRole.
> >> >
> >> > The problem is that the first breakpoint is executed but not the
> second
> >> > one, so the SecurityContext I have implemented is not called and of
> >> course
> >> > the endpoints are accessible for any user.
> >> >
> >> > What am I missing?
> >> >
> >> > --
> >> > +----------------------------------------------------------+
> >> > Alex Soto Bueno
> >> > www.lordofthejars.com
> >> > +----------------------------------------------------------+
> >>
> >
> >
> >
> > --
> > +----------------------------------------------------------+
> > Alex Soto Bueno - Computer Engineer
> > www.lordofthejars.com
> > +----------------------------------------------------------+
>
--
+----------------------------------------------------------+
Alex Soto Bueno - Computer Engineer
www.lordofthejars.com
+----------------------------------------------------------+
Re: TomEE2 JAXRS Security Context
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Well, in your sample @RolesAllowed is ignored since that's not an EJB.
Romain Manni-Bucau
@rmannibucau
http://www.tomitribe.com
http://rmannibucau.wordpress.com
https://github.com/rmannibucau
2014-11-12 9:57 GMT+01:00 Alex Soto <as...@gmail.com>:
> Hi,
>
> Yes that example works but if I do something like
>
> @Path("sc")
> public static class Res {
> @Context
> private SecurityContext sc;
>
> @GET
> @RolesAllowed("therole")
> public boolean f() {
> return sc.isUserInRole("therole");
> }
> }
>
> Note that in theory when the role is another the f() method should not be
> executed, but the reality is that is executed as well. So it seems that
> with a custom security context you cannot relay on declarative mode using
> annotations.
>
> 2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
>
>> Hi
>>
>> what's the difference with
>>
>> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c
>> ?
>>
>>
>> Romain Manni-Bucau
>> @rmannibucau
>> http://www.tomitribe.com
>> http://rmannibucau.wordpress.com
>> https://github.com/rmannibucau
>>
>>
>> 2014-11-11 15:56 GMT+01:00 Alex Soto <as...@gmail.com>:
>> > Hi,
>> >
>> > I am developing an application with JAXRS 2.0, and for this reason
>> > currently I am using TomEE2. I need to implement my own SecurityContext
>> > based on JWT. I need to implement on my own because currently I cannot
>> rely
>> > on any CXF class because I don't know the final application server yet.
>> But
>> > anyway, the problem is that I don't know but it just don't works. Let me
>> > post a simple example.
>> >
>> > @Provider
>> > public class JWTRequestFilter implements ContainerRequestFilter {
>> >
>> > @Override
>> > public void filter(ContainerRequestContext request) throws IOException {
>> > String token = request.getHeaderString("x-access-token");
>> > try {
>> > String username = getUsernameFromToken(token);
>> > final User user = getUserByName(username);
>> > request.setSecurityContext(new SecurityContext() {
>> > @Override
>> > public boolean isUserInRole(String role) {
>> > return user.isUserInRole(role);
>> > }
>> > @Override
>> > public boolean isSecure() {
>> > return false;
>> > }
>> > @Override
>> > public Principal getUserPrincipal() {
>> > return user;
>> > }
>> > @Override
>> > public String getAuthenticationScheme() {
>> > return SecurityContext.BASIC_AUTH;
>> > }
>> > });
>> > } catch (ParseException | JOSEException e) {
>> > e.printStackTrace();
>> > }
>> > }
>> > }
>> >
>> > And the endpoint:
>> >
>> > @Path("/book")
>> > @PermitAll
>> > public class BookResource {
>> >
>> > @GET
>> > @Produces(MediaType.TEXT_PLAIN)
>> > @RolesAllowed("admin")
>> > public String book() {
>> > return "book";
>> > }
>> > @GET
>> > @Path("article")
>> > @Produces(MediaType.TEXT_PLAIN)
>> > @RolesAllowed("superadmin")
>> > public String article() {
>> > return "article";
>> > }
>> > }
>> >
>> > I have added two debug breakpoints, the firstone just before registering
>> > the new SecurityContext, and the second one inside SecurityContext in
>> > method isUserInRole.
>> >
>> > The problem is that the first breakpoint is executed but not the second
>> > one, so the SecurityContext I have implemented is not called and of
>> course
>> > the endpoints are accessible for any user.
>> >
>> > What am I missing?
>> >
>> > --
>> > +----------------------------------------------------------+
>> > Alex Soto Bueno
>> > www.lordofthejars.com
>> > +----------------------------------------------------------+
>>
>
>
>
> --
> +----------------------------------------------------------+
> Alex Soto Bueno - Computer Engineer
> www.lordofthejars.com
> +----------------------------------------------------------+
Re: TomEE2 JAXRS Security Context
Posted by Alex Soto <as...@gmail.com>.
Hi,
Yes that example works but if I do something like
@Path("sc")
public static class Res {
@Context
private SecurityContext sc;
@GET
@RolesAllowed("therole")
public boolean f() {
return sc.isUserInRole("therole");
}
}
Note that in theory when the role is another the f() method should not be
executed, but the reality is that is executed as well. So it seems that
with a custom security context you cannot relay on declarative mode using
annotations.
2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau <rm...@gmail.com>:
> Hi
>
> what's the difference with
>
> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c
> ?
>
>
> Romain Manni-Bucau
> @rmannibucau
> http://www.tomitribe.com
> http://rmannibucau.wordpress.com
> https://github.com/rmannibucau
>
>
> 2014-11-11 15:56 GMT+01:00 Alex Soto <as...@gmail.com>:
> > Hi,
> >
> > I am developing an application with JAXRS 2.0, and for this reason
> > currently I am using TomEE2. I need to implement my own SecurityContext
> > based on JWT. I need to implement on my own because currently I cannot
> rely
> > on any CXF class because I don't know the final application server yet.
> But
> > anyway, the problem is that I don't know but it just don't works. Let me
> > post a simple example.
> >
> > @Provider
> > public class JWTRequestFilter implements ContainerRequestFilter {
> >
> > @Override
> > public void filter(ContainerRequestContext request) throws IOException {
> > String token = request.getHeaderString("x-access-token");
> > try {
> > String username = getUsernameFromToken(token);
> > final User user = getUserByName(username);
> > request.setSecurityContext(new SecurityContext() {
> > @Override
> > public boolean isUserInRole(String role) {
> > return user.isUserInRole(role);
> > }
> > @Override
> > public boolean isSecure() {
> > return false;
> > }
> > @Override
> > public Principal getUserPrincipal() {
> > return user;
> > }
> > @Override
> > public String getAuthenticationScheme() {
> > return SecurityContext.BASIC_AUTH;
> > }
> > });
> > } catch (ParseException | JOSEException e) {
> > e.printStackTrace();
> > }
> > }
> > }
> >
> > And the endpoint:
> >
> > @Path("/book")
> > @PermitAll
> > public class BookResource {
> >
> > @GET
> > @Produces(MediaType.TEXT_PLAIN)
> > @RolesAllowed("admin")
> > public String book() {
> > return "book";
> > }
> > @GET
> > @Path("article")
> > @Produces(MediaType.TEXT_PLAIN)
> > @RolesAllowed("superadmin")
> > public String article() {
> > return "article";
> > }
> > }
> >
> > I have added two debug breakpoints, the firstone just before registering
> > the new SecurityContext, and the second one inside SecurityContext in
> > method isUserInRole.
> >
> > The problem is that the first breakpoint is executed but not the second
> > one, so the SecurityContext I have implemented is not called and of
> course
> > the endpoints are accessible for any user.
> >
> > What am I missing?
> >
> > --
> > +----------------------------------------------------------+
> > Alex Soto Bueno
> > www.lordofthejars.com
> > +----------------------------------------------------------+
>
--
+----------------------------------------------------------+
Alex Soto Bueno - Computer Engineer
www.lordofthejars.com
+----------------------------------------------------------+
Re: TomEE2 JAXRS Security Context
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi
what's the difference with
https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c
?
Romain Manni-Bucau
@rmannibucau
http://www.tomitribe.com
http://rmannibucau.wordpress.com
https://github.com/rmannibucau
2014-11-11 15:56 GMT+01:00 Alex Soto <as...@gmail.com>:
> Hi,
>
> I am developing an application with JAXRS 2.0, and for this reason
> currently I am using TomEE2. I need to implement my own SecurityContext
> based on JWT. I need to implement on my own because currently I cannot rely
> on any CXF class because I don't know the final application server yet. But
> anyway, the problem is that I don't know but it just don't works. Let me
> post a simple example.
>
> @Provider
> public class JWTRequestFilter implements ContainerRequestFilter {
>
> @Override
> public void filter(ContainerRequestContext request) throws IOException {
> String token = request.getHeaderString("x-access-token");
> try {
> String username = getUsernameFromToken(token);
> final User user = getUserByName(username);
> request.setSecurityContext(new SecurityContext() {
> @Override
> public boolean isUserInRole(String role) {
> return user.isUserInRole(role);
> }
> @Override
> public boolean isSecure() {
> return false;
> }
> @Override
> public Principal getUserPrincipal() {
> return user;
> }
> @Override
> public String getAuthenticationScheme() {
> return SecurityContext.BASIC_AUTH;
> }
> });
> } catch (ParseException | JOSEException e) {
> e.printStackTrace();
> }
> }
> }
>
> And the endpoint:
>
> @Path("/book")
> @PermitAll
> public class BookResource {
>
> @GET
> @Produces(MediaType.TEXT_PLAIN)
> @RolesAllowed("admin")
> public String book() {
> return "book";
> }
> @GET
> @Path("article")
> @Produces(MediaType.TEXT_PLAIN)
> @RolesAllowed("superadmin")
> public String article() {
> return "article";
> }
> }
>
> I have added two debug breakpoints, the firstone just before registering
> the new SecurityContext, and the second one inside SecurityContext in
> method isUserInRole.
>
> The problem is that the first breakpoint is executed but not the second
> one, so the SecurityContext I have implemented is not called and of course
> the endpoints are accessible for any user.
>
> What am I missing?
>
> --
> +----------------------------------------------------------+
> Alex Soto Bueno
> www.lordofthejars.com
> +----------------------------------------------------------+