Yep Le 29 déc. 2013 14:09, "Matej" <[email protected]> a écrit :
> Hello Romain. > > I needed some time to compile the source. > > Tried to read your changes, but could not understand them > 100%.Never-mind:), it seems to be working perfectly. > > This change will be in the 1.6.1 release? > > Thank you allot. > > BR > > Matej > > > > > 2013/12/28 Romain Manni-Bucau <[email protected]> > > > Hi > > > > Hope https://issues.apache.org/jira/browse/OPENEJB-2064 helps, any > > feedback using the snapshot would be welcomed! > > Romain Manni-Bucau > > Twitter: @rmannibucau > > Blog: http://rmannibucau.wordpress.com/ > > LinkedIn: http://fr.linkedin.com/in/rmannibucau > > Github: https://github.com/rmannibucau > > > > > > > > 2013/12/28 Romain Manni-Bucau <[email protected]>: > > > I know we have something weird on one @XAll at class level, if you can > > write > > > a unit test ill try to check > > > > > > Le 28 déc. 2013 11:09, "Matej" <[email protected]> a écrit : > > > > > >> Implemented the CXF filter. I am pasting the code if someone needs it. > > It > > >> works great. But I notice something strange when testing. Maybe a > Tomee > > >> bug, don't know. > > >> > > >> I thought that a method Attribute overrides the class attributes. > That's > > >> how I implemented the filter. Meaning if I set @DenyAll on the class, > > and > > >> @AllowAll on the REST method, the method should still be accesible. I > am > > >> not 100% sure, but that's how i think how it works on GF. > > >> > > >> BR > > >> > > >> MAtej > > >> > > >> > > >> > > >> > > >> public class AuthorizationRequestHandler implements RequestHandler { > > >> > > >> @Context > > >> private SecurityContext securityContext; > > >> > > >> @Override > > >> public Response handleRequest(Message msg, ClassResourceInfo cri) > { > > >> > > >> if (!hasUserAccess(msg, cri)) { > > >> return > > Response.status(Response.Status.UNAUTHORIZED).build(); > > >> } > > >> > > >> return null; > > >> } > > >> > > >> public boolean hasUserAccess(Message msg, ClassResourceInfo cri) { > > >> > > >> /* > > >> * Check method attributes > > >> */ > > >> Method method = > > >> > msg.getExchange().get(OperationResourceInfo.class).getAnnotatedMethod(); > > >> if (method.getAnnotation(DenyAll.class) != null) { > > >> return false; > > >> } > > >> > > >> if (method.getAnnotation(PermitAll.class) != null) { > > >> return true; > > >> } > > >> > > >> RolesAllowed raMethod = > > method.getAnnotation(RolesAllowed.class); > > >> if (raMethod != null) { > > >> for (String role : raMethod.value()) { > > >> if (securityContext.isUserInRole(role)) { > > >> return true; > > >> } > > >> } > > >> return false; > > >> } > > >> /* > > >> * Check class attributes > > >> */ > > >> Class<?> resourceClass = cri.getResourceClass(); > > >> if (resourceClass.getAnnotation(DenyAll.class) != null) { > > >> return false; > > >> } > > >> > > >> if (resourceClass.getAnnotation(PermitAll.class) != null) { > > >> return true; > > >> } > > >> > > >> RolesAllowed raClass = > > >> resourceClass.getAnnotation(RolesAllowed.class); > > >> if (raClass != null) { > > >> for (String role : raClass.value()) { > > >> if (securityContext.isUserInRole(role)) { > > >> return true; > > >> } > > >> } > > >> return false; > > >> } > > >> return true; > > >> } > > >> } > > >> > > >> > > >> 2013/12/27 Romain Manni-Bucau <[email protected]> > > >> > > >> > Hmm, i didnt test but check using Exception what's the exact type, > > >> > wrapping > > >> > sometimes leads to surprises. > > >> > > > >> > Side note: a filter would work in all cases. > > >> > Le 27 déc. 2013 21:25, "Matej" <[email protected]> a écrit : > > >> > > > >> > > Hello Romain. > > >> > > > > >> > > I tried with something like this: > > >> > > > > >> > > > > >> > > @Provider > > >> > > public class EjbAccessExceptionMapper implements > > >> > > ExceptionMapper<EJBAccessException> { > > >> > > > > >> > > @Override > > >> > > public Response toResponse(EJBAccessException t) { > > >> > > return > > >> > > > Response.status(Status.BAD_REQUEST).entity(t.getMessage()).build(); > > >> > > } > > >> > > } > > >> > > > > >> > > > > >> > > But I don't tnik the Error message is returned from the REST /CXF > > >> > > domain. > > >> > > > > >> > > javax.servlet.ServletException: Error processing webservice > request > > >> > > > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:59) > > >> > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > > >> > > > > >> > > > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > > >> > > > > >> > > *root cause* > > >> > > > > >> > > java.lang.RuntimeException: org.apache.cxf.interceptor.Fault: > > >> > > Unauthorized Access by Principal Denied while invoking public > > >> > > javax.ws.rs.core.Response > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:116) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:322) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170) > > >> > > > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53) > > >> > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > > >> > > > > >> > > > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > > >> > > > > >> > > *root cause* > > >> > > > > >> > > org.apache.cxf.interceptor.Fault: Unauthorized Access by Principal > > >> > > Denied while invoking public > > >> > > javax.ws.rs.core.Response.getEmployeeTimesheet(long,long) with > > params > > >> > > [0, 0]. > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.service.invoker.AbstractInvoker.createFault(AbstractInvoker.java:166) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:140) > > >> > > > > >> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:165) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.invoke(OpenEJBEJBInvoker.java:67) > > >> > > > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:89) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:63) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170) > > >> > > > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53) > > >> > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > > >> > > > > >> > > > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > > >> > > > > >> > > *root cause* > > >> > > > > >> > > javax.ejb.EJBAccessException: Unauthorized Access by Principal > > Denied > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:158) > > >> > > > > >> > > > > >> > > > > org.apache.openejb.util.proxy.ProxyEJB$Handler.invoke(ProxyEJB.java:73) > > >> > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > >> > > > > >> > > > > >> > > > >> > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > >> > > > > >> > > > > >> > > > >> > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > >> > > java.lang.reflect.Method.invoke(Method.java:606) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.performInvocation(OpenEJBEJBInvoker.java:93) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) > > >> > > > > >> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:165) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.invoke(OpenEJBEJBInvoker.java:67) > > >> > > > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:89) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:63) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237) > > >> > > > > >> > > > > >> > > > >> > > > > org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170) > > >> > > > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53) > > >> > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > > >> > > > > >> > > > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > > >> > > > > >> > > > > >> > > > > >> > > 2013/12/27 Romain Manni-Bucau <[email protected]> > > >> > > > > >> > > > Hi > > >> > > > > > >> > > > I'd add a custom ExceptionMapper or Filter. > > >> > > > Le 27 déc. 2013 20:31, "Matej" <[email protected]> a écrit : > > >> > > > > > >> > > > > Hello everyone. > > >> > > > > > > >> > > > > Anybody knows how to make Tomee/cxf return a forbidden HTTP > > status > > >> > code > > >> > > > 401 > > >> > > > > or 403 instead of this: > > >> > > > > > > >> > > > > STATUS 500 > > >> > > > > > > >> > > > > java.lang.RuntimeException: org.apache.cxf.interceptor.Fault: > > >> > > > > Unauthorized Access by Principal Denied > > >> > > > > > > >> > > > > I manage to do this in glassfish using this: > > >> > > > > > > >> > > > > <init-param> > > >> > > > > > > >> > > > > > > >> > > > > > > <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name> > > >> > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > > > <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value> > > >> > > > > </init-param> > > >> > > > > > > >> > > > > But Tomee is currently new-land for me. > > >> > > > > > > >> > > > > BR > > >> > > > > > > >> > > > > Matej > > >> > > > > > > >> > > > > > >> > > > > >> > > > >
