I know we have something weird on one @XAll at class level, if you can
write a unit test ill try to check
Le 28 déc. 2013 11:09, "Matej" <[email protected]> a écrit :
> Implemented the CXF filter. I am pasting the code if someone needs it. It
> works great. But I notice something strange when testing. Maybe a Tomee
> bug, don't know.
>
> I thought that a method Attribute overrides the class attributes. That's
> how I implemented the filter. Meaning if I set @DenyAll on the class, and
> @AllowAll on the REST method, the method should still be accesible. I am
> not 100% sure, but that's how i think how it works on GF.
>
> BR
>
> MAtej
>
>
>
>
> public class AuthorizationRequestHandler implements RequestHandler {
>
> @Context
> private SecurityContext securityContext;
>
> @Override
> public Response handleRequest(Message msg, ClassResourceInfo cri) {
>
> if (!hasUserAccess(msg, cri)) {
> return Response.status(Response.Status.UNAUTHORIZED).build();
> }
>
> return null;
> }
>
> public boolean hasUserAccess(Message msg, ClassResourceInfo cri) {
>
> /*
> * Check method attributes
> */
> Method method =
> msg.getExchange().get(OperationResourceInfo.class).getAnnotatedMethod();
> if (method.getAnnotation(DenyAll.class) != null) {
> return false;
> }
>
> if (method.getAnnotation(PermitAll.class) != null) {
> return true;
> }
>
> RolesAllowed raMethod = method.getAnnotation(RolesAllowed.class);
> if (raMethod != null) {
> for (String role : raMethod.value()) {
> if (securityContext.isUserInRole(role)) {
> return true;
> }
> }
> return false;
> }
> /*
> * Check class attributes
> */
> Class<?> resourceClass = cri.getResourceClass();
> if (resourceClass.getAnnotation(DenyAll.class) != null) {
> return false;
> }
>
> if (resourceClass.getAnnotation(PermitAll.class) != null) {
> return true;
> }
>
> RolesAllowed raClass =
> resourceClass.getAnnotation(RolesAllowed.class);
> if (raClass != null) {
> for (String role : raClass.value()) {
> if (securityContext.isUserInRole(role)) {
> return true;
> }
> }
> return false;
> }
> return true;
> }
> }
>
>
> 2013/12/27 Romain Manni-Bucau <[email protected]>
>
> > Hmm, i didnt test but check using Exception what's the exact type,
> wrapping
> > sometimes leads to surprises.
> >
> > Side note: a filter would work in all cases.
> > Le 27 déc. 2013 21:25, "Matej" <[email protected]> a écrit :
> >
> > > Hello Romain.
> > >
> > > I tried with something like this:
> > >
> > >
> > > @Provider
> > > public class EjbAccessExceptionMapper implements
> > > ExceptionMapper<EJBAccessException> {
> > >
> > > @Override
> > > public Response toResponse(EJBAccessException t) {
> > > return
> > > Response.status(Status.BAD_REQUEST).entity(t.getMessage()).build();
> > > }
> > > }
> > >
> > >
> > > But I don't tnik the Error message is returned from the REST /CXF
> domain.
> > >
> > > javax.servlet.ServletException: Error processing webservice request
> > >
> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:59)
> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> > >
> > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
> > >
> > > *root cause*
> > >
> > > java.lang.RuntimeException: org.apache.cxf.interceptor.Fault:
> > > Unauthorized Access by Principal Denied while invoking public
> > > javax.ws.rs.core.Response
> > >
> > >
> >
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:116)
> > >
> > >
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:322)
> > >
> > >
> >
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> > >
> > >
> >
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)
> > >
> > >
> >
> org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170)
> > >
> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53)
> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> > >
> > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
> > >
> > > *root cause*
> > >
> > > org.apache.cxf.interceptor.Fault: Unauthorized Access by Principal
> > > Denied while invoking public
> > > javax.ws.rs.core.Response.getEmployeeTimesheet(long,long) with params
> > > [0, 0].
> > >
> > >
> >
> org.apache.cxf.service.invoker.AbstractInvoker.createFault(AbstractInvoker.java:166)
> > >
> > >
> >
> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:140)
> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:165)
> > >
> > >
> >
> org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.invoke(OpenEJBEJBInvoker.java:67)
> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:89)
> > >
> > >
> >
> org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:63)
> > >
> > >
> >
> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
> > >
> > >
> >
> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93)
> > >
> > >
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
> > >
> > >
> >
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> > >
> > >
> >
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)
> > >
> > >
> >
> org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170)
> > >
> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53)
> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> > >
> > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
> > >
> > > *root cause*
> > >
> > > javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
> > >
> > >
> >
> org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:158)
> > >
> > > org.apache.openejb.util.proxy.ProxyEJB$Handler.invoke(ProxyEJB.java:73)
> > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > >
> > >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > >
> > >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > java.lang.reflect.Method.invoke(Method.java:606)
> > >
> > >
> >
> org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.performInvocation(OpenEJBEJBInvoker.java:93)
> > >
> > >
> >
> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:165)
> > >
> > >
> >
> org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.invoke(OpenEJBEJBInvoker.java:67)
> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:89)
> > >
> > >
> >
> org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:63)
> > >
> > >
> >
> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57)
> > >
> > >
> >
> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93)
> > >
> > >
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
> > >
> > >
> >
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> > >
> > >
> >
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)
> > >
> > >
> >
> org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170)
> > >
> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53)
> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> > >
> > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
> > >
> > >
> > >
> > > 2013/12/27 Romain Manni-Bucau <[email protected]>
> > >
> > > > Hi
> > > >
> > > > I'd add a custom ExceptionMapper or Filter.
> > > > Le 27 déc. 2013 20:31, "Matej" <[email protected]> a écrit :
> > > >
> > > > > Hello everyone.
> > > > >
> > > > > Anybody knows how to make Tomee/cxf return a forbidden HTTP status
> > code
> > > > 401
> > > > > or 403 instead of this:
> > > > >
> > > > > STATUS 500
> > > > >
> > > > > java.lang.RuntimeException: org.apache.cxf.interceptor.Fault:
> > > > > Unauthorized Access by Principal Denied
> > > > >
> > > > > I manage to do this in glassfish using this:
> > > > >
> > > > > <init-param>
> > > > >
> > > > >
> <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
> > > > >
> > > > >
> > > >
> > >
> >
> <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
> > > > > </init-param>
> > > > >
> > > > > But Tomee is currently new-land for me.
> > > > >
> > > > > BR
> > > > >
> > > > > Matej
> > > > >
> > > >
> > >
> >
>
