hehehe yeah currently I am implementing the second one. Basically I want to implement a portable solution, the good news is that I can implement this logic, add it in some kind of jaxrs-common project in company repo and that's all everybody needs to import it to use security.
Maybe this should be something to be faced in next versions of JAXRS. I mean if CDI implements now @Transactional, ... why not JAXRS as well. Probably there is a reason but I am sure it is something than a lot of people have found it. 2014-11-12 10:27 GMT+01:00 Romain Manni-Bucau <[email protected]>: > Oh I forgot. So yes you are on your own excepted if you use an EJB ;). > > Then you have 2 solutions for the impl: > - cdi interceptor with SecurityContext injected > - JAXRS filter with priority AUTHORIZATION > > Second one will be called before first one but not sure it is a big deal > > > > Romain Manni-Bucau > @rmannibucau > http://www.tomitribe.com > http://rmannibucau.wordpress.com > https://github.com/rmannibucau > > > 2014-11-12 10:19 GMT+01:00 Alex Soto <[email protected]>: > > I cannot relay on cxf :( > > > > 2014-11-12 10:15 GMT+01:00 Romain Manni-Bucau <[email protected]>: > > > >> Don't loose too much time on it ;) > >> org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor > >> > >> > >> Romain Manni-Bucau > >> @rmannibucau > >> http://www.tomitribe.com > >> http://rmannibucau.wordpress.com > >> https://github.com/rmannibucau > >> > >> > >> 2014-11-12 10:11 GMT+01:00 Alex Soto <[email protected]>: > >> > :( I thought that this standard annotation could be used in standalone > >> > JAXRS endpoint. Well then I will need to do some kind of interceptor. > >> > > >> > 2014-11-12 10:06 GMT+01:00 Romain Manni-Bucau <[email protected] > >: > >> > > >> >> Well, in your sample @RolesAllowed is ignored since that's not an > EJB. > >> >> > >> >> > >> >> Romain Manni-Bucau > >> >> @rmannibucau > >> >> http://www.tomitribe.com > >> >> http://rmannibucau.wordpress.com > >> >> https://github.com/rmannibucau > >> >> > >> >> > >> >> 2014-11-12 9:57 GMT+01:00 Alex Soto <[email protected]>: > >> >> > Hi, > >> >> > > >> >> > Yes that example works but if I do something like > >> >> > > >> >> > @Path("sc") > >> >> > public static class Res { > >> >> > @Context > >> >> > private SecurityContext sc; > >> >> > > >> >> > @GET > >> >> > @RolesAllowed("therole") > >> >> > public boolean f() { > >> >> > return sc.isUserInRole("therole"); > >> >> > } > >> >> > } > >> >> > > >> >> > Note that in theory when the role is another the f() method should > >> not be > >> >> > executed, but the reality is that is executed as well. So it seems > >> that > >> >> > with a custom security context you cannot relay on declarative mode > >> using > >> >> > annotations. > >> >> > > >> >> > 2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau < > [email protected] > >> >: > >> >> > > >> >> >> Hi > >> >> >> > >> >> >> what's the difference with > >> >> >> > >> >> >> > >> >> > >> > https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c > >> >> >> ? > >> >> >> > >> >> >> > >> >> >> Romain Manni-Bucau > >> >> >> @rmannibucau > >> >> >> http://www.tomitribe.com > >> >> >> http://rmannibucau.wordpress.com > >> >> >> https://github.com/rmannibucau > >> >> >> > >> >> >> > >> >> >> 2014-11-11 15:56 GMT+01:00 Alex Soto <[email protected]>: > >> >> >> > Hi, > >> >> >> > > >> >> >> > I am developing an application with JAXRS 2.0, and for this > reason > >> >> >> > currently I am using TomEE2. I need to implement my own > >> >> SecurityContext > >> >> >> > based on JWT. I need to implement on my own because currently I > >> cannot > >> >> >> rely > >> >> >> > on any CXF class because I don't know the final application > server > >> >> yet. > >> >> >> But > >> >> >> > anyway, the problem is that I don't know but it just don't > works. > >> Let > >> >> me > >> >> >> > post a simple example. > >> >> >> > > >> >> >> > @Provider > >> >> >> > public class JWTRequestFilter implements ContainerRequestFilter > { > >> >> >> > > >> >> >> > @Override > >> >> >> > public void filter(ContainerRequestContext request) throws > >> >> IOException { > >> >> >> > String token = request.getHeaderString("x-access-token"); > >> >> >> > try { > >> >> >> > String username = getUsernameFromToken(token); > >> >> >> > final User user = getUserByName(username); > >> >> >> > request.setSecurityContext(new SecurityContext() { > >> >> >> > @Override > >> >> >> > public boolean isUserInRole(String role) { > >> >> >> > return user.isUserInRole(role); > >> >> >> > } > >> >> >> > @Override > >> >> >> > public boolean isSecure() { > >> >> >> > return false; > >> >> >> > } > >> >> >> > @Override > >> >> >> > public Principal getUserPrincipal() { > >> >> >> > return user; > >> >> >> > } > >> >> >> > @Override > >> >> >> > public String getAuthenticationScheme() { > >> >> >> > return SecurityContext.BASIC_AUTH; > >> >> >> > } > >> >> >> > }); > >> >> >> > } catch (ParseException | JOSEException e) { > >> >> >> > e.printStackTrace(); > >> >> >> > } > >> >> >> > } > >> >> >> > } > >> >> >> > > >> >> >> > And the endpoint: > >> >> >> > > >> >> >> > @Path("/book") > >> >> >> > @PermitAll > >> >> >> > public class BookResource { > >> >> >> > > >> >> >> > @GET > >> >> >> > @Produces(MediaType.TEXT_PLAIN) > >> >> >> > @RolesAllowed("admin") > >> >> >> > public String book() { > >> >> >> > return "book"; > >> >> >> > } > >> >> >> > @GET > >> >> >> > @Path("article") > >> >> >> > @Produces(MediaType.TEXT_PLAIN) > >> >> >> > @RolesAllowed("superadmin") > >> >> >> > public String article() { > >> >> >> > return "article"; > >> >> >> > } > >> >> >> > } > >> >> >> > > >> >> >> > I have added two debug breakpoints, the firstone just before > >> >> registering > >> >> >> > the new SecurityContext, and the second one inside > SecurityContext > >> in > >> >> >> > method isUserInRole. > >> >> >> > > >> >> >> > The problem is that the first breakpoint is executed but not the > >> >> second > >> >> >> > one, so the SecurityContext I have implemented is not called > and of > >> >> >> course > >> >> >> > the endpoints are accessible for any user. > >> >> >> > > >> >> >> > What am I missing? > >> >> >> > > >> >> >> > -- > >> >> >> > +----------------------------------------------------------+ > >> >> >> > Alex Soto Bueno > >> >> >> > www.lordofthejars.com > >> >> >> > +----------------------------------------------------------+ > >> >> >> > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > +----------------------------------------------------------+ > >> >> > Alex Soto Bueno - Computer Engineer > >> >> > www.lordofthejars.com > >> >> > +----------------------------------------------------------+ > >> >> > >> > > >> > > >> > > >> > -- > >> > +----------------------------------------------------------+ > >> > Alex Soto Bueno - Computer Engineer > >> > www.lordofthejars.com > >> > +----------------------------------------------------------+ > >> > > > > > > > > -- > > +----------------------------------------------------------+ > > Alex Soto Bueno - Computer Engineer > > www.lordofthejars.com > > +----------------------------------------------------------+ > -- +----------------------------------------------------------+ Alex Soto Bueno - Computer Engineer www.lordofthejars.com +----------------------------------------------------------+
