Hi what's the difference with https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c ?
Romain Manni-Bucau @rmannibucau http://www.tomitribe.com http://rmannibucau.wordpress.com https://github.com/rmannibucau 2014-11-11 15:56 GMT+01:00 Alex Soto <[email protected]>: > Hi, > > I am developing an application with JAXRS 2.0, and for this reason > currently I am using TomEE2. I need to implement my own SecurityContext > based on JWT. I need to implement on my own because currently I cannot rely > on any CXF class because I don't know the final application server yet. But > anyway, the problem is that I don't know but it just don't works. Let me > post a simple example. > > @Provider > public class JWTRequestFilter implements ContainerRequestFilter { > > @Override > public void filter(ContainerRequestContext request) throws IOException { > String token = request.getHeaderString("x-access-token"); > try { > String username = getUsernameFromToken(token); > final User user = getUserByName(username); > request.setSecurityContext(new SecurityContext() { > @Override > public boolean isUserInRole(String role) { > return user.isUserInRole(role); > } > @Override > public boolean isSecure() { > return false; > } > @Override > public Principal getUserPrincipal() { > return user; > } > @Override > public String getAuthenticationScheme() { > return SecurityContext.BASIC_AUTH; > } > }); > } catch (ParseException | JOSEException e) { > e.printStackTrace(); > } > } > } > > And the endpoint: > > @Path("/book") > @PermitAll > public class BookResource { > > @GET > @Produces(MediaType.TEXT_PLAIN) > @RolesAllowed("admin") > public String book() { > return "book"; > } > @GET > @Path("article") > @Produces(MediaType.TEXT_PLAIN) > @RolesAllowed("superadmin") > public String article() { > return "article"; > } > } > > I have added two debug breakpoints, the firstone just before registering > the new SecurityContext, and the second one inside SecurityContext in > method isUserInRole. > > The problem is that the first breakpoint is executed but not the second > one, so the SecurityContext I have implemented is not called and of course > the endpoints are accessible for any user. > > What am I missing? > > -- > +----------------------------------------------------------+ > Alex Soto Bueno > www.lordofthejars.com > +----------------------------------------------------------+
