On 20.03.2015 18:10, Jari Fredriksson wrote:
> I have created a RESTful service, and it work OK w/o authentication.
> Trying to setup basic auth using Spring Security 3.2.6 on top of that.
>
> The problem is that when when I have @Secured the services, the system
> always tells me that "Forbidden".
>
> For example this service:
>
> @Path("/1.0/")
> @Consumes(MediaType.APPLICATION_JSON)
> @Produces(MediaType.APPLICATION_JSON)
> public interface WebService
> {
> /**
> * Can be used to test the connection and service.
> *
> * @return Response with message: pong
> */
> @GET
> @Path("/ping")
> @Secured({"ROLE_TMR", "ROLE_ADMIN"})
> public Response ping();
>
> will return Forbidden always, and the browser does not request any
> credentials. It thing something is blocking the basic auth in this setup.
>
> Setup:
>
> Liferay 6.2 on Tomcat 7.2
>
> The security is configured in beans.xml like this:
>
> <beans xmlns="http://www.springframework.org/schema/beans";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:jaxrs="http://cxf.apache.org/jaxrs";
> xmlns:aop="http://www.springframework.org/schema/aop";
> xmlns:security="http://www.springframework.org/schema/security";
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
> http://www.springframework.org/schema/aop
> http://www.springframework.org/schema/aop/spring-aop.xsd
> http://www.springframework.org/schema/security
> http://www.springframework.org/schema/security/spring-security-3.2.xsd
> http://cxf.apache.org/jaxrs
> http://cxf.apache.org/schemas/jaxrs.xsd";>
> <import resource="classpath:META-INF/cxf/cxf.xml"/>
> <import resource="classpath:META-INF/cxf/cxf-servlet.xml"/>
> <jaxrs:server id="webservice" address="/">
> <jaxrs:serviceBeans>
> <ref bean="webservice10"/>
> </jaxrs:serviceBeans>
> <jaxrs:providers>
> <bean class="fi.dise.ws.SecurityExceptionMapper"/>
> <bean
> class="com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider"/>
> </jaxrs:providers>
> </jaxrs:server>
> <bean id="webservice10" class="fi.dise.ws.WebServiceImpl" />
> <!--
> <bean
> class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
> id="passwordEncoder"/>
> -->
> <security:global-method-security secured-annotations="enabled" />
> <security:http auto-config="true">
> <security:http-basic/>
> </security:http>
> <security:authentication-manager>
> <security:authentication-provider>
> <!-- it is possible to md5 encode these passwords, or use a
> SQL backed or a custom bean for this. -->
> <!-- <security:password-encoder ref="passwordEncoder"/> -->
> <security:user-service>
> <security:user name="tmr" password="xxxx"
> authorities="ROLE_TMR"/>
> </security:user-service>
> </security:authentication-provider>
> </security:authentication-manager>
> </beans>
>
> Any ideas? The config should be OK, but does not work when the security
> is uncommented like this. Could Liferay or Tomcat somehow cause this?
>
Appears it worked OK all the time.wget and GET did not somehow send the Authentication header, but curl --basic sends it, and it just works. -- jarif.bit
signature.asc
Description: OpenPGP digital signature
