Implemented the CXF filter. I am pasting the code if someone needs it. It
works great. But I notice something strange when testing. Maybe a Tomee
bug, don't know.
I thought that a method Attribute overrides the class attributes. That's
how I implemented the filter. Meaning if I set @DenyAll on the class, and
@AllowAll on the REST method, the method should still be accesible. I am
not 100% sure, but that's how i think how it works on GF.
BR
MAtej
public class AuthorizationRequestHandler implements RequestHandler {
@Context
private SecurityContext securityContext;
@Override
public Response handleRequest(Message msg, ClassResourceInfo cri) {
if (!hasUserAccess(msg, cri)) {
return Response.status(Response.Status.UNAUTHORIZED).build();
}
return null;
}
public boolean hasUserAccess(Message msg, ClassResourceInfo cri) {
/*
* Check method attributes
*/
Method method =
msg.getExchange().get(OperationResourceInfo.class).getAnnotatedMethod();
if (method.getAnnotation(DenyAll.class) != null) {
return false;
}
if (method.getAnnotation(PermitAll.class) != null) {
return true;
}
RolesAllowed raMethod = method.getAnnotation(RolesAllowed.class);
if (raMethod != null) {
for (String role : raMethod.value()) {
if (securityContext.isUserInRole(role)) {
return true;
}
}
return false;
}
/*
* Check class attributes
*/
Class<?> resourceClass = cri.getResourceClass();
if (resourceClass.getAnnotation(DenyAll.class) != null) {
return false;
}
if (resourceClass.getAnnotation(PermitAll.class) != null) {
return true;
}
RolesAllowed raClass =
resourceClass.getAnnotation(RolesAllowed.class);
if (raClass != null) {
for (String role : raClass.value()) {
if (securityContext.isUserInRole(role)) {
return true;
}
}
return false;
}
return true;
}
}
2013/12/27 Romain Manni-Bucau <[email protected]>
> Hmm, i didnt test but check using Exception what's the exact type, wrapping
> sometimes leads to surprises.
>
> Side note: a filter would work in all cases.
> Le 27 déc. 2013 21:25, "Matej" <[email protected]> a écrit :
>
> > Hello Romain.
> >
> > I tried with something like this:
> >
> >
> > @Provider
> > public class EjbAccessExceptionMapper implements
> > ExceptionMapper<EJBAccessException> {
> >
> > @Override
> > public Response toResponse(EJBAccessException t) {
> > return
> > Response.status(Status.BAD_REQUEST).entity(t.getMessage()).build();
> > }
> > }
> >
> >
> > But I don't tnik the Error message is returned from the REST /CXF domain.
> >
> > javax.servlet.ServletException: Error processing webservice request
> >
> org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:59)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> >
> > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
> >
> > *root cause*
> >
> > java.lang.RuntimeException: org.apache.cxf.interceptor.Fault:
> > Unauthorized Access by Principal Denied while invoking public
> > javax.ws.rs.core.Response
> >
> >
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:116)
> >
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:322)
> >
> >
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> >
> >
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)
> >
> >
> org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170)
> >
> org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> >
> > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
> >
> > *root cause*
> >
> > org.apache.cxf.interceptor.Fault: Unauthorized Access by Principal
> > Denied while invoking public
> > javax.ws.rs.core.Response.getEmployeeTimesheet(long,long) with params
> > [0, 0].
> >
> >
> org.apache.cxf.service.invoker.AbstractInvoker.createFault(AbstractInvoker.java:166)
> >
> >
> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:140)
> > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:165)
> >
> >
> org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.invoke(OpenEJBEJBInvoker.java:67)
> > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:89)
> >
> >
> org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:63)
> >
> >
> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
> >
> >
> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93)
> >
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
> >
> >
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> >
> >
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)
> >
> >
> org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170)
> >
> org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> >
> > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
> >
> > *root cause*
> >
> > javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
> >
> >
> org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:158)
> >
> > org.apache.openejb.util.proxy.ProxyEJB$Handler.invoke(ProxyEJB.java:73)
> > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > java.lang.reflect.Method.invoke(Method.java:606)
> >
> >
> org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.performInvocation(OpenEJBEJBInvoker.java:93)
> >
> >
> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
> > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:165)
> >
> >
> org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.invoke(OpenEJBEJBInvoker.java:67)
> > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:89)
> >
> >
> org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:63)
> >
> >
> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
> >
> >
> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93)
> >
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
> >
> >
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> >
> >
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)
> >
> >
> org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170)
> >
> org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> >
> > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
> >
> >
> >
> > 2013/12/27 Romain Manni-Bucau <[email protected]>
> >
> > > Hi
> > >
> > > I'd add a custom ExceptionMapper or Filter.
> > > Le 27 déc. 2013 20:31, "Matej" <[email protected]> a écrit :
> > >
> > > > Hello everyone.
> > > >
> > > > Anybody knows how to make Tomee/cxf return a forbidden HTTP status
> code
> > > 401
> > > > or 403 instead of this:
> > > >
> > > > STATUS 500
> > > >
> > > > java.lang.RuntimeException: org.apache.cxf.interceptor.Fault:
> > > > Unauthorized Access by Principal Denied
> > > >
> > > > I manage to do this in glassfish using this:
> > > >
> > > > <init-param>
> > > >
> > > > <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
> > > >
> > > >
> > >
> >
> <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
> > > > </init-param>
> > > >
> > > > But Tomee is currently new-land for me.
> > > >
> > > > BR
> > > >
> > > > Matej
> > > >
> > >
> >
>
