On 12/10/2013 17:29, Jim Talbut wrote:
Hi,
I want to use Spring-Security to protect a bunch of JAX-RS endpoints
in a couple of different (independent) applications.
One of the applications will start off using basic auth and will
probably never progress beyond that, so I could use CXF interceptors
to handle the auth.
The other application will use CAS, and I'm not aware of any CXF
interceptors that handle that.
Hence the desire to use Spring-Security.
My problem is that I want to be able to have maven run integration
tests that validate the method level security on each build (and
preferably in the same test cases that test other aspects of the REST
interface).
Previously I have just carried out my testing by having CXF construct
a localhost endpoint, but this means that spring knows nothing about
the network side of the tests and thus spring-security isn't used.
Is it possible to introduce the Spring-Security filters into the jetty
instance created by CXF?
If not, is it possible to have a Spring JUnit testcase created as a
(real, not mock) servlet container so that CXF can use a relative
address?
Another thought was to find a way to have the CXF WebClient use a
Spring mock endpoint, but I have even less idea about how to do that.
Any ideas?
Thanks
Jim
I've written a Jetty Handler that manually invokes the Spring Security
filter chain (passing a data collecting filter as the next filter in the
chain) and it sort-of works.
The big outstanding problem is that the CXF context breaks if I apply
the @PreAuthorize annotation directly to the JAX-RS method:
@GET
@Produces( { "application/json", "text/xml" } )
@PreAuthorize("hasRole('ROLE_ADMIN')")
public UsersElement getAll() {
I /think/ this is breaking because the proxy for the PreAuth is meaning
that the @Context annotation isn't being detected by CXF.
Can that be fixed?
Jim
