Unfortunately, when using EJBs, if you override the SecurityContext,
this context does not propagate to the EJB security logic.
On 1/9/2014 5:15 AM, adriano.lab...@ti-informatique.com wrote:
> What I want to do is to configure a REST service with basic
> authentication and roles authorization using RESTEasy.
> Currently, I am confused with the security configuration and I hope
> someone can help me.
>
> REST service : http://localhost:8080/xedu-web/rest/course/{1}
> ---
>
> @Stateless
> *@Path("/course")*
> @PermitAll
> public class *CourseRestService *{
> @EJB
> private CourseServices service;
>
> @Inject
> private ServiceContextServices serviceContextServices;
>
> @GET
> *@Path("{id}")*
> // @RolesAllowed("users")
>
> @Consumes({"application/vnd.ch.xpertline.xedu.data.interfaces+json",
> "application/json", "application/xml"})
>
> @Produces({"application/vnd.ch.xpertline.xedu.data.interfaces+json",
> "application/json", "application/xml"})
> public XEDUEICourseSingleResponse *find*(@PathParam("id") Integer
> id, @QueryParam("serviceContext") EIServiceContext serviceContext) {
> try {
> serviceContextServices.setContext(serviceContext);
> EISingleResponse ei = service.findEI(id);
> return new XEDUEICourseSingleResponse(ei);
> } catch (ConversionException ce) {
> throw new BadRequestRestException(ce);
> } catch (Exception e) {
> throw new ComponentRestException(e);
> }
> }
> }
>
> web.xml
> ---
>
>
>xmlns="http://java.sun.com/xml/ns/javaee";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";>
>
>xedu-web
>
>
> resteasy.scan
> true
>
>
>
> resteasy.role.based.security
> true
>
>
>
> resteasy.servlet.mapping.prefix
> /rest
>
>
>
>
> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap
>
>
>
>
> Resteasy
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
>
> 1
>
>
>
> Resteasy
> /rest/*
>
>
>
>
> Request filter:
> ---
>
> @Provider
> public class *AuthenticationRequestFilter *implements
> ContainerRequestFilter {
> @Override
> public void *filter*(ContainerRequestContext ctx) throws IOException {
> User user = null;
>
> try {
> String[] credentials = readCredentials(ctx);
> String username = credentials[0];
> String password = credentials[1];
> user = authenticate(username, password);
> } catch (AuthenticationException e) {
> switch (e.getErrorCode()) {
> case 401:
>
> ctx.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
> break;
> case 403:
>
> ctx.abortWith(Response.status(Response.Status.FORBIDDEN).build());
> break;
> }
> }
>
> // Set the custom security context
> if (user != null)
> ctx.*setSecurityContext*(new AppSecurityContext(user,
> ctx.getUriInfo()));
> }
>
> ...
> }
>
> The current (correct) behavior is the following:
> - when I send a request with a valid credential (user1), the request
> filter authenticates the user and the service returns the resource data.
> - when I send a request without credentials, my request filter returns a
> 401 code.
> - when I send a request with an unknown user, my filter returns a 403 code.
>
> My question is : how to set up authorization on methods based on roles?
> Users and roles are stored in an application database, not on JBoss.
>
> Here's what I did and that did not work:
> - I added the annotation @RolesAllowed("users") on my service method.
> - I set a custom SecurityContext in my request filter that associates
> the role "users" to the user "user1"
> - I added and set the context-param "resteasy.role.based.security" to
> true in web.xml.
>
> The resulting behavior is that my filter is never called, and all
> requests result in a 403 code.
> It seems that the role is checked before calling my request filter, so
> that the custom SecurityContext is not yet created.
>
> Lately, I read in the documentation that we must not enable
> "resteasy.role.based.security" if we use EJBs, and that is my case.
> However, I didn't found any example or description about what to do in
> that case.
>
>
> --
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>
>
>
> ___
> Resteasy-users maili