[jira] [Commented] (CXF-6317) Authorization not possible with multiple service beans

[Jostein Gogstad (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CXF-6317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14383780#comment-14383780
 ] 

Jostein Gogstad commented on CXF-6317:
--------------------------------------

I agree that accepting a list of objects is the best solution, it requires a 
bit more coding than the simple solution of unique ids, but the resulting API 
is better to work with.

Our current solution invokes all authorization interceptors on every request, 
and it works fine. I expect the same behaviour if you assign unique ids. I 
don't know if it's by design or accident, but the 
{{SimpleAuthorizingInterceptor}} (superclass) returns an empty map of expected 
roles if the targetMethod doesn't match the RBAC map, this causes 
{{AbstractAuthorizingInInterceptor}} to pass the request if no "denyRoles" are 
present.

In code that translates to:
{code:java|title=SecureAnnotationsInterceptorChain.java}
public class SecureAnnotationsInterceptorChain extends 
AbstractPhaseInterceptor<Message> {

    private List<SecureAnnotationsInterceptor> interceptors;

    public SecureAnnotationsInterceptorChain() {
        super(Phase.PRE_INVOKE);
    }

    @Override
    public void handleMessage(Message message) throws Fault {
        for (SecureAnnotationsInterceptor interceptor : interceptors) {
            interceptor.handleMessage(message);
        }
    }

    public List<SecureAnnotationsInterceptor> getInterceptors() {
        return interceptors;
    }

    public void setInterceptors(List<SecureAnnotationsInterceptor> 
interceptors) {
        this.interceptors = interceptors;
    }
}
{code}
{code:xml|title=blueprint.xml}
    <jaxrs:server id="myservice" address="/service">
        <jaxrs:inInterceptors>
            <ref component-id="secureAnnotationsInterceptorChain"/>
        </jaxrs:inInterceptors>
        <jaxrs:serviceBeans>
            <ref component-id="part1WebService"/>
            <ref component-id="part2WebService"/>
        </jaxrs:serviceBeans>
        <jaxrs:providers>
            <ref component-id="authenticationFilter"/>
        </jaxrs:providers>
    </jaxrs:server>

    <! -- code from description here -->

    <bean class="com.example.security.cxf.SecureAnnotationsInterceptorChain" 
id="secureAnnotationsInterceptorChain">
        <property name="interceptors">
            <list>
                <ref component-id="part1AuthorizationInterceptor"/>
                <ref component-id="part2AuthorizationInterceptor"/>
            </list>
        </property>
    </bean>
{code}

> Authorization not possible with multiple service beans
> ------------------------------------------------------
>
>                 Key: CXF-6317
>                 URL: https://issues.apache.org/jira/browse/CXF-6317
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.7.15
>            Reporter: Jostein Gogstad
>
> Given a jaxrs:server with more than one serviceBean it is not possible to 
> secure them both.
> Take the following configuration (it's in blueprint, but it shouldn't matter):
> {code:xml}
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0";
>            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>            xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs";
>            xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 
> http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
>            http://cxf.apache.org/blueprint/jaxrs 
> http://cxf.apache.org/schemas/blueprint/jaxrs.xsd";>
>     <jaxrs:server id="myservice" address="/service">
>         <jaxrs:inInterceptors>
>             <ref component-id="part1AuthorizationInterceptor"/>
>             <ref component-id="part2AuthorizationInterceptor"/>
>         </jaxrs:inInterceptors>
>         <jaxrs:serviceBeans>
>             <ref component-id="part1WebService"/>
>             <ref component-id="part2WebService"/>
>         </jaxrs:serviceBeans>
>         <jaxrs:providers>
>             <ref component-id="authenticationFilter"/>
>         </jaxrs:providers>
>     </jaxrs:server>
>     <bean id="part1WebService" class="com.example.Part1WebService"/>
>     <bean id="part2WebService" class="com.example.Part2WebService"/>
>     
>     <bean id="part1AuthorizationInterceptor" 
> class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
>         <property name="securedObject" ref="part1WebService"/>
>     </bean>
>     <bean id="part2AuthorizationInterceptor" 
> class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
>         <property name="securedObject" ref="part2WebService"/>
>     </bean>
> </blueprint>
> {code}
> Since {{org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor}} 
> only secures one object, we need two instances, one for each service bean.
> If you walk up {{SecureAnnotationsInterceptor}} constructor chain, you'll end 
> up in 
> [org.apache.cxf.phase.AbstractPhaseInterceptor|https://github.com/apache/cxf/blob/cxf-2.7.15/api/src/main/java/org/apache/cxf/phase/AbstractPhaseInterceptor.java#L89-L91]
>  (github link) where the interceptor's {{id}} is set to 
> {{getClass().getName()}}. So now we have two interceptors with the same id. 
> When the interceptor chain is built in 
> [org.apache.cxf.phase.PhaseInterceptorChain|https://github.com/apache/cxf/blob/cxf-2.7.15/api/src/main/java/org/apache/cxf/phase/PhaseInterceptorChain.java#L589-L596]
>  the second interceptor is ignored since it has the same id as the first one.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)