Trouble with CXF jaxrs Basic auth (on Liferay/Tomcat platform)

Fri, 20 Mar 2015 09:14:28 -0700 

I have created a RESTful service, and it work OK w/o authentication.
Trying to setup basic auth using Spring Security 3.2.6 on top of that.

The problem is that when when I have @Secured the services, the system
always tells me that "Forbidden".

For example this service:

@Path("/1.0/")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public interface WebService
{
    /**
     * Can be used to test the connection and service.
     *
     * @return Response with message: pong
     */
    @GET
    @Path("/ping")
    @Secured({"ROLE_TMR", "ROLE_ADMIN"})
    public Response ping();

will return Forbidden always, and the browser does not request any
credentials. It thing something is blocking the basic auth in this setup.

Setup:

Liferay 6.2 on Tomcat 7.2

The security is configured in beans.xml like this:

<beans xmlns="http://www.springframework.org/schema/beans";
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
       xmlns:jaxrs="http://cxf.apache.org/jaxrs";
       xmlns:aop="http://www.springframework.org/schema/aop";
       xmlns:security="http://www.springframework.org/schema/security";
       xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
         http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
         http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd";>
    <import resource="classpath:META-INF/cxf/cxf.xml"/>
    <import resource="classpath:META-INF/cxf/cxf-servlet.xml"/>
    <jaxrs:server id="webservice" address="/">
        <jaxrs:serviceBeans>
            <ref bean="webservice10"/>
        </jaxrs:serviceBeans>
        <jaxrs:providers>
            <bean class="fi.dise.ws.SecurityExceptionMapper"/>
            <bean
class="com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider"/>
        </jaxrs:providers>
    </jaxrs:server>
    <bean id="webservice10" class="fi.dise.ws.WebServiceImpl" />
    <!--
    <bean
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
id="passwordEncoder"/>
    -->
    <security:global-method-security secured-annotations="enabled" />
    <security:http auto-config="true">
        <security:http-basic/>
    </security:http>
    <security:authentication-manager>
        <security:authentication-provider>
            <!-- it is possible to md5 encode these passwords, or use a
                 SQL backed or a custom bean for this. -->
            <!-- <security:password-encoder ref="passwordEncoder"/> -->
            <security:user-service>
                <security:user name="tmr" password="xxxx"
authorities="ROLE_TMR"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>
</beans>

Any ideas? The config should be OK, but does not work when the security
is uncommented like this. Could Liferay or Tomcat somehow cause this?

-- 
jarif.bit

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to