Hi,
Yes that example works but if I do something like
@Path("sc")
public static class Res {
@Context
private SecurityContext sc;
@GET
@RolesAllowed("therole")
public boolean f() {
return sc.isUserInRole("therole");
}
}
Note that in theory when the role is another the f() method should not be
executed, but the reality is that is executed as well. So it seems that
with a custom security context you cannot relay on declarative mode using
annotations.
2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau <[email protected]>:
> Hi
>
> what's the difference with
>
> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c
> ?
>
>
> Romain Manni-Bucau
> @rmannibucau
> http://www.tomitribe.com
> http://rmannibucau.wordpress.com
> https://github.com/rmannibucau
>
>
> 2014-11-11 15:56 GMT+01:00 Alex Soto <[email protected]>:
> > Hi,
> >
> > I am developing an application with JAXRS 2.0, and for this reason
> > currently I am using TomEE2. I need to implement my own SecurityContext
> > based on JWT. I need to implement on my own because currently I cannot
> rely
> > on any CXF class because I don't know the final application server yet.
> But
> > anyway, the problem is that I don't know but it just don't works. Let me
> > post a simple example.
> >
> > @Provider
> > public class JWTRequestFilter implements ContainerRequestFilter {
> >
> > @Override
> > public void filter(ContainerRequestContext request) throws IOException {
> > String token = request.getHeaderString("x-access-token");
> > try {
> > String username = getUsernameFromToken(token);
> > final User user = getUserByName(username);
> > request.setSecurityContext(new SecurityContext() {
> > @Override
> > public boolean isUserInRole(String role) {
> > return user.isUserInRole(role);
> > }
> > @Override
> > public boolean isSecure() {
> > return false;
> > }
> > @Override
> > public Principal getUserPrincipal() {
> > return user;
> > }
> > @Override
> > public String getAuthenticationScheme() {
> > return SecurityContext.BASIC_AUTH;
> > }
> > });
> > } catch (ParseException | JOSEException e) {
> > e.printStackTrace();
> > }
> > }
> > }
> >
> > And the endpoint:
> >
> > @Path("/book")
> > @PermitAll
> > public class BookResource {
> >
> > @GET
> > @Produces(MediaType.TEXT_PLAIN)
> > @RolesAllowed("admin")
> > public String book() {
> > return "book";
> > }
> > @GET
> > @Path("article")
> > @Produces(MediaType.TEXT_PLAIN)
> > @RolesAllowed("superadmin")
> > public String article() {
> > return "article";
> > }
> > }
> >
> > I have added two debug breakpoints, the firstone just before registering
> > the new SecurityContext, and the second one inside SecurityContext in
> > method isUserInRole.
> >
> > The problem is that the first breakpoint is executed but not the second
> > one, so the SecurityContext I have implemented is not called and of
> course
> > the endpoints are accessible for any user.
> >
> > What am I missing?
> >
> > --
> > +----------------------------------------------------------+
> > Alex Soto Bueno
> > www.lordofthejars.com
> > +----------------------------------------------------------+
>
--
+----------------------------------------------------------+
Alex Soto Bueno - Computer Engineer
www.lordofthejars.com
+----------------------------------------------------------+
