Unfortunately, when using EJBs, if you override the SecurityContext, this context does not propagate to the EJB security logic.
On 1/9/2014 5:15 AM, adriano.lab...@ti-informatique.com wrote: > What I want to do is to configure a REST service with basic > authentication and roles authorization using RESTEasy. > Currently, I am confused with the security configuration and I hope > someone can help me. > > REST service : http://localhost:8080/xedu-web/rest/course/{1} > --------------------------------------------------------------- > > @Stateless > *@Path("/course")* > @PermitAll > public class *CourseRestService *{ > @EJB > private CourseServices service; > > @Inject > private ServiceContextServices serviceContextServices; > > @GET > *@Path("{id}")* > // @RolesAllowed("users") > > @Consumes({"application/vnd.ch.xpertline.xedu.data.interfaces+json", > "application/json", "application/xml"}) > > @Produces({"application/vnd.ch.xpertline.xedu.data.interfaces+json", > "application/json", "application/xml"}) > public XEDUEICourseSingleResponse *find*(@PathParam("id") Integer > id, @QueryParam("serviceContext") EIServiceContext serviceContext) { > try { > serviceContextServices.setContext(serviceContext); > EISingleResponse<XEDUEICourse> ei = service.findEI(id); > return new XEDUEICourseSingleResponse(ei); > } catch (ConversionException ce) { > throw new BadRequestRestException(ce); > } catch (Exception e) { > throw new ComponentRestException(e); > } > } > } > > web.xml > --------------------------------------------------------------- > > <?xml version="1.0" encoding="UTF-8"?> > <web-app version="3.0" > xmlns="http://java.sun.com/xml/ns/javaee"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";> > > <display-name>xedu-web</display-name> > > <context-param> > <param-name>resteasy.scan</param-name> > <param-value>true</param-value> > </context-param> > > <context-param> > <param-name>resteasy.role.based.security</param-name> > <param-value>true</param-value> > </context-param> > > <context-param> > <param-name>resteasy.servlet.mapping.prefix</param-name> > <param-value>/rest</param-value> > </context-param> > > <listener> > > <listener-class>org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class> > > </listener> > > <servlet> > <servlet-name>Resteasy</servlet-name> > > <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class> > > <load-on-startup>1</load-on-startup> > </servlet> > > <servlet-mapping> > <servlet-name>Resteasy</servlet-name> > <url-pattern>/rest/*</url-pattern> > </servlet-mapping> > </web-app> > > > Request filter: > --------------------------------------------------------------- > > @Provider > public class *AuthenticationRequestFilter *implements > ContainerRequestFilter { > @Override > public void *filter*(ContainerRequestContext ctx) throws IOException { > User user = null; > > try { > String[] credentials = readCredentials(ctx); > String username = credentials[0]; > String password = credentials[1]; > user = authenticate(username, password); > } catch (AuthenticationException e) { > switch (e.getErrorCode()) { > case 401: > > ctx.abortWith(Response.status(Response.Status.UNAUTHORIZED).build()); > break; > case 403: > > ctx.abortWith(Response.status(Response.Status.FORBIDDEN).build()); > break; > } > } > > // Set the custom security context > if (user != null) > ctx.*setSecurityContext*(new AppSecurityContext(user, > ctx.getUriInfo())); > } > > ... > } > > The current (correct) behavior is the following: > - when I send a request with a valid credential (user1), the request > filter authenticates the user and the service returns the resource data. > - when I send a request without credentials, my request filter returns a > 401 code. > - when I send a request with an unknown user, my filter returns a 403 code. > > My question is : how to set up authorization on methods based on roles? > Users and roles are stored in an application database, not on JBoss. > > Here's what I did and that did not work: > - I added the annotation @RolesAllowed("users") on my service method. > - I set a custom SecurityContext in my request filter that associates > the role "users" to the user "user1" > - I added and set the context-param "resteasy.role.based.security" to > true in web.xml. > > The resulting behavior is that my filter is never called, and all > requests result in a 403 code. > It seems that the role is checked before calling my request filter, so > that the custom SecurityContext is not yet created. > > Lately, I read in the documentation that we must not enable > "resteasy.role.based.security" if we use EJBs, and that is my case. > However, I didn't found any example or description about what to do in > that case. > > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Resteasy-users mailing list > Resteasy-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/resteasy-users > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Resteasy-users mailing list Resteasy-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/resteasy-users
