I guess it is part of JavaEE 8 scope (making EJB services available to CDI beans) but it is not yet finalized.
Romain Manni-Bucau @rmannibucau http://www.tomitribe.com http://rmannibucau.wordpress.com https://github.com/rmannibucau 2014-11-12 10:32 GMT+01:00 Alex Soto <[email protected]>: > hehehe yeah currently I am implementing the second one. Basically I want to > implement a portable solution, the good news is that I can implement this > logic, add it in some kind of jaxrs-common project in company repo and > that's all everybody needs to import it to use security. > > Maybe this should be something to be faced in next versions of JAXRS. I > mean if CDI implements now @Transactional, ... why not JAXRS as well. > Probably there is a reason but I am sure it is something than a lot of > people have found it. > > 2014-11-12 10:27 GMT+01:00 Romain Manni-Bucau <[email protected]>: > >> Oh I forgot. So yes you are on your own excepted if you use an EJB ;). >> >> Then you have 2 solutions for the impl: >> - cdi interceptor with SecurityContext injected >> - JAXRS filter with priority AUTHORIZATION >> >> Second one will be called before first one but not sure it is a big deal >> >> >> >> Romain Manni-Bucau >> @rmannibucau >> http://www.tomitribe.com >> http://rmannibucau.wordpress.com >> https://github.com/rmannibucau >> >> >> 2014-11-12 10:19 GMT+01:00 Alex Soto <[email protected]>: >> > I cannot relay on cxf :( >> > >> > 2014-11-12 10:15 GMT+01:00 Romain Manni-Bucau <[email protected]>: >> > >> >> Don't loose too much time on it ;) >> >> org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor >> >> >> >> >> >> Romain Manni-Bucau >> >> @rmannibucau >> >> http://www.tomitribe.com >> >> http://rmannibucau.wordpress.com >> >> https://github.com/rmannibucau >> >> >> >> >> >> 2014-11-12 10:11 GMT+01:00 Alex Soto <[email protected]>: >> >> > :( I thought that this standard annotation could be used in standalone >> >> > JAXRS endpoint. Well then I will need to do some kind of interceptor. >> >> > >> >> > 2014-11-12 10:06 GMT+01:00 Romain Manni-Bucau <[email protected] >> >: >> >> > >> >> >> Well, in your sample @RolesAllowed is ignored since that's not an >> EJB. >> >> >> >> >> >> >> >> >> Romain Manni-Bucau >> >> >> @rmannibucau >> >> >> http://www.tomitribe.com >> >> >> http://rmannibucau.wordpress.com >> >> >> https://github.com/rmannibucau >> >> >> >> >> >> >> >> >> 2014-11-12 9:57 GMT+01:00 Alex Soto <[email protected]>: >> >> >> > Hi, >> >> >> > >> >> >> > Yes that example works but if I do something like >> >> >> > >> >> >> > @Path("sc") >> >> >> > public static class Res { >> >> >> > @Context >> >> >> > private SecurityContext sc; >> >> >> > >> >> >> > @GET >> >> >> > @RolesAllowed("therole") >> >> >> > public boolean f() { >> >> >> > return sc.isUserInRole("therole"); >> >> >> > } >> >> >> > } >> >> >> > >> >> >> > Note that in theory when the role is another the f() method should >> >> not be >> >> >> > executed, but the reality is that is executed as well. So it seems >> >> that >> >> >> > with a custom security context you cannot relay on declarative mode >> >> using >> >> >> > annotations. >> >> >> > >> >> >> > 2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau < >> [email protected] >> >> >: >> >> >> > >> >> >> >> Hi >> >> >> >> >> >> >> >> what's the difference with >> >> >> >> >> >> >> >> >> >> >> >> >> >> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c >> >> >> >> ? >> >> >> >> >> >> >> >> >> >> >> >> Romain Manni-Bucau >> >> >> >> @rmannibucau >> >> >> >> http://www.tomitribe.com >> >> >> >> http://rmannibucau.wordpress.com >> >> >> >> https://github.com/rmannibucau >> >> >> >> >> >> >> >> >> >> >> >> 2014-11-11 15:56 GMT+01:00 Alex Soto <[email protected]>: >> >> >> >> > Hi, >> >> >> >> > >> >> >> >> > I am developing an application with JAXRS 2.0, and for this >> reason >> >> >> >> > currently I am using TomEE2. I need to implement my own >> >> >> SecurityContext >> >> >> >> > based on JWT. I need to implement on my own because currently I >> >> cannot >> >> >> >> rely >> >> >> >> > on any CXF class because I don't know the final application >> server >> >> >> yet. >> >> >> >> But >> >> >> >> > anyway, the problem is that I don't know but it just don't >> works. >> >> Let >> >> >> me >> >> >> >> > post a simple example. >> >> >> >> > >> >> >> >> > @Provider >> >> >> >> > public class JWTRequestFilter implements ContainerRequestFilter >> { >> >> >> >> > >> >> >> >> > @Override >> >> >> >> > public void filter(ContainerRequestContext request) throws >> >> >> IOException { >> >> >> >> > String token = request.getHeaderString("x-access-token"); >> >> >> >> > try { >> >> >> >> > String username = getUsernameFromToken(token); >> >> >> >> > final User user = getUserByName(username); >> >> >> >> > request.setSecurityContext(new SecurityContext() { >> >> >> >> > @Override >> >> >> >> > public boolean isUserInRole(String role) { >> >> >> >> > return user.isUserInRole(role); >> >> >> >> > } >> >> >> >> > @Override >> >> >> >> > public boolean isSecure() { >> >> >> >> > return false; >> >> >> >> > } >> >> >> >> > @Override >> >> >> >> > public Principal getUserPrincipal() { >> >> >> >> > return user; >> >> >> >> > } >> >> >> >> > @Override >> >> >> >> > public String getAuthenticationScheme() { >> >> >> >> > return SecurityContext.BASIC_AUTH; >> >> >> >> > } >> >> >> >> > }); >> >> >> >> > } catch (ParseException | JOSEException e) { >> >> >> >> > e.printStackTrace(); >> >> >> >> > } >> >> >> >> > } >> >> >> >> > } >> >> >> >> > >> >> >> >> > And the endpoint: >> >> >> >> > >> >> >> >> > @Path("/book") >> >> >> >> > @PermitAll >> >> >> >> > public class BookResource { >> >> >> >> > >> >> >> >> > @GET >> >> >> >> > @Produces(MediaType.TEXT_PLAIN) >> >> >> >> > @RolesAllowed("admin") >> >> >> >> > public String book() { >> >> >> >> > return "book"; >> >> >> >> > } >> >> >> >> > @GET >> >> >> >> > @Path("article") >> >> >> >> > @Produces(MediaType.TEXT_PLAIN) >> >> >> >> > @RolesAllowed("superadmin") >> >> >> >> > public String article() { >> >> >> >> > return "article"; >> >> >> >> > } >> >> >> >> > } >> >> >> >> > >> >> >> >> > I have added two debug breakpoints, the firstone just before >> >> >> registering >> >> >> >> > the new SecurityContext, and the second one inside >> SecurityContext >> >> in >> >> >> >> > method isUserInRole. >> >> >> >> > >> >> >> >> > The problem is that the first breakpoint is executed but not the >> >> >> second >> >> >> >> > one, so the SecurityContext I have implemented is not called >> and of >> >> >> >> course >> >> >> >> > the endpoints are accessible for any user. >> >> >> >> > >> >> >> >> > What am I missing? >> >> >> >> > >> >> >> >> > -- >> >> >> >> > +----------------------------------------------------------+ >> >> >> >> > Alex Soto Bueno >> >> >> >> > www.lordofthejars.com >> >> >> >> > +----------------------------------------------------------+ >> >> >> >> >> >> >> > >> >> >> > >> >> >> > >> >> >> > -- >> >> >> > +----------------------------------------------------------+ >> >> >> > Alex Soto Bueno - Computer Engineer >> >> >> > www.lordofthejars.com >> >> >> > +----------------------------------------------------------+ >> >> >> >> >> > >> >> > >> >> > >> >> > -- >> >> > +----------------------------------------------------------+ >> >> > Alex Soto Bueno - Computer Engineer >> >> > www.lordofthejars.com >> >> > +----------------------------------------------------------+ >> >> >> > >> > >> > >> > -- >> > +----------------------------------------------------------+ >> > Alex Soto Bueno - Computer Engineer >> > www.lordofthejars.com >> > +----------------------------------------------------------+ >> > > > > -- > +----------------------------------------------------------+ > Alex Soto Bueno - Computer Engineer > www.lordofthejars.com > +----------------------------------------------------------+
