Re: [Resteasy-users] Set up authorization on methods based on roles

2014-01-09 Thread Bill Burke 
Unfortunately, when using EJBs, if you override the SecurityContext, 
this context does not propagate to the EJB security logic.

On 1/9/2014 5:15 AM, adriano.lab...@ti-informatique.com wrote:
> What I want to do is to configure a REST service with basic
> authentication and roles authorization using RESTEasy.
> Currently, I am confused with the security configuration and I hope
> someone can help me.
>
> REST service : http://localhost:8080/xedu-web/rest/course/{1}
> ---
>
> @Stateless
> *@Path("/course")*
> @PermitAll
> public class *CourseRestService *{
>  @EJB
>  private CourseServices service;
>
>  @Inject
>  private ServiceContextServices serviceContextServices;
>
>  @GET
> *@Path("{id}")*
>  // @RolesAllowed("users")
>
> @Consumes({"application/vnd.ch.xpertline.xedu.data.interfaces+json",
> "application/json", "application/xml"})
>
> @Produces({"application/vnd.ch.xpertline.xedu.data.interfaces+json",
> "application/json", "application/xml"})
>  public XEDUEICourseSingleResponse *find*(@PathParam("id") Integer
> id, @QueryParam("serviceContext") EIServiceContext serviceContext) {
> try {
>  serviceContextServices.setContext(serviceContext);
>  EISingleResponse ei = service.findEI(id);
>  return new XEDUEICourseSingleResponse(ei);
> } catch (ConversionException ce) {
>  throw new BadRequestRestException(ce);
> } catch (Exception e) {
>  throw new ComponentRestException(e);
> }
>  }
> }
>
> web.xml
> ---
>
> 
>xmlns="http://java.sun.com/xml/ns/javaee";
>   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";>
>
>xedu-web
>
>
>  resteasy.scan
>  true
>
>
>
>  resteasy.role.based.security
>  true
>
>
>
>  resteasy.servlet.mapping.prefix
>  /rest
>
>
>
>
> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap
>
>
>
>
>  Resteasy
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
>
>  1
>
>
>
>  Resteasy
>  /rest/*
>
> 
>
>
> Request filter:
> ---
>
> @Provider
> public class *AuthenticationRequestFilter *implements
> ContainerRequestFilter {
>  @Override
>  public void *filter*(ContainerRequestContext ctx) throws IOException {
> User user = null;
>
> try {
>  String[] credentials = readCredentials(ctx);
>  String username = credentials[0];
>  String password = credentials[1];
>  user = authenticate(username, password);
> } catch (AuthenticationException e) {
>  switch (e.getErrorCode()) {
>  case 401:
>
> ctx.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
>  break;
>  case 403:
>
> ctx.abortWith(Response.status(Response.Status.FORBIDDEN).build());
>  break;
>  }
> }
>
> // Set the custom security context
> if (user != null)
>  ctx.*setSecurityContext*(new AppSecurityContext(user,
> ctx.getUriInfo()));
>  }
>
>  ...
> }
>
> The current (correct) behavior is the following:
> - when I send a request with a valid credential (user1), the request
> filter authenticates the user and the service returns the resource data.
> - when I send a request without credentials, my request filter returns a
> 401 code.
> - when I send a request with an unknown user, my filter returns a 403 code.
>
> My question is : how to set up authorization on methods based on roles?
> Users and roles are stored in an application database, not on JBoss.
>
> Here's what I did and that did not work:
> - I added the annotation @RolesAllowed("users") on my service method.
> - I set a custom SecurityContext in my request filter that associates
> the role "users" to the user "user1"
> - I added and set the context-param "resteasy.role.based.security" to
> true in web.xml.
>
> The resulting behavior is that my filter is never called, and all
> requests result in a 403 code.
> It seems that the role is checked before calling my request filter, so
> that the custom SecurityContext is not yet created.
>
> Lately, I read in the documentation that we must not enable
> "resteasy.role.based.security" if we use EJBs, and that is my case.
> However, I didn't found any example or description about what to do in
> that case.
>
>
> --
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>
>
>
> ___
> Resteasy-users maili

[Resteasy-users] Set up authorization on methods based on roles

2014-01-09 Thread Adriano . Labate 
What I want to do is to configure a REST service with basic authentication 
and roles authorization using RESTEasy.
Currently, I am confused with the security configuration and I hope 
someone can help me.

REST service : http://localhost:8080/xedu-web/rest/course/{1}
---

@Stateless
@Path("/course")
@PermitAll
public class CourseRestService {
@EJB
private CourseServices service;

@Inject
private ServiceContextServices serviceContextServices;

@GET
@Path("{id}")
// @RolesAllowed("users")
@Consumes({"application/vnd.ch.xpertline.xedu.data.interfaces+json", 
"application/json", "application/xml"})
@Produces({"application/vnd.ch.xpertline.xedu.data.interfaces+json", 
"application/json", "application/xml"})
public XEDUEICourseSingleResponse find(@PathParam("id") Integer id, 
@QueryParam("serviceContext") EIServiceContext serviceContext) {
try {
serviceContextServices.setContext(serviceContext);
EISingleResponse ei = service.findEI(id);
return new XEDUEICourseSingleResponse(ei);
} catch (ConversionException ce) {
throw new BadRequestRestException(ce);
} catch (Exception e) {
throw new ComponentRestException(e);
}
}
}

web.xml
---


http://java.sun.com/xml/ns/javaee";
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";>
 
  xedu-web
 
  
resteasy.scan
true
  

  
resteasy.role.based.security
true
  

  
resteasy.servlet.mapping.prefix
/rest
  
 
  
 
org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap
   
 
  
Resteasy
 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
1
  
 
  
Resteasy
/rest/*
  



Request filter:
---

@Provider
public class AuthenticationRequestFilter implements ContainerRequestFilter 
{
@Override
public void filter(ContainerRequestContext ctx) throws IOException {
User user = null;

try {
String[] credentials = readCredentials(ctx);
String username = credentials[0];
String password = credentials[1];
user = authenticate(username, password);
} catch (AuthenticationException e) {
switch (e.getErrorCode()) {
case 401:
 ctx.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
break;
case 403:
 ctx.abortWith(Response.status(Response.Status.FORBIDDEN).build());
break;
}
}

// Set the custom security context
if (user != null)
ctx.setSecurityContext(new AppSecurityContext(user, 
ctx.getUriInfo()));
}
 
...
}

The current (correct) behavior is the following:
- when I send a request with a valid credential (user1), the request 
filter authenticates the user and the service returns the resource data.
- when I send a request without credentials, my request filter returns a 
401 code.
- when I send a request with an unknown user, my filter returns a 403 
code.

My question is : how to set up authorization on methods based on roles?
Users and roles are stored in an application database, not on JBoss.

Here's what I did and that did not work:
- I added the annotation @RolesAllowed("users") on my service method.
- I set a custom SecurityContext in my request filter that associates the 
role "users" to the user "user1"
- I added and set the context-param "resteasy.role.based.security" to true 
in web.xml.

The resulting behavior is that my filter is never called, and all requests 
result in a 403 code.
It seems that the role is checked before calling my request filter, so 
that the custom SecurityContext is not yet created.

Lately, I read in the documentation that we must not enable "
resteasy.role.based.security" if we use EJBs, and that is my case. 
However, I didn't found any example or description about what to do in 
that case.
--
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk___
Resteasy-users mailing list
Resteasy-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/resteasy-users