Hi Sergey,
I did expect authorization to fail, but the @Secured annotation did not
block unauthorized users.
Thank you for suggesting that I try combining cxf.xml and
applicationContext-security.xml; doing so led me down the proper path. I
assume there was a problem with scope/context in applying security to beans
defined in a separate config file?
After combining the two config files, I had to add ASM and CGLIB2 jars to my
project (I used cglib-2.1.3; 2.0 did not work for some reason). I also had
to add an <aop:scoped-proxy/> tag to my secured bean definition and add an
<aop:aspectj-autoproxy> element to my cxf.xml (see below). I also made a
reference to the bean using instructions I found in the CXF user's guide to
specify the actual serviceClass on my JAX-WS server definition (since using
Spring AOP stuff injects a proxy to the bean, which won't include method
annotations). I kept the reference to my bean in the JAX-RS server
definition as well, and security now works for both types of service.
If you don't add the <aop:scoped-proxy> and <aop:aspectj-autoproxy> tags,
you'll encounter an error: "object is not an instance of declaring class."
The only problem I'm noticing right now is that method overloading doesn't
work when using Spring's AOP stuff. That's not a big deal, though, and
right now I'm just ecstatic that spring-security is working.
Here's the setup that works for me:
------- cxf.xml -------
<jaxws:server id="myService" serviceBean="#myServiceBean"
address="/myService"/>
<jaxrs:server id="services" address="/myRSService">
<jaxrs:serviceBeans>
<ref bean="myServiceBean" />
</jaxrs:serviceBeans>
</jaxrs:server>
<bean id="provisioningBean" class="com.company.MyService">
<aop:scoped-proxy/>
</bean>
<aop:aspectj-autoproxy proxy-target-class="false">
<aop:include name="proxyInterfaces"/>
</aop:aspectj-autoproxy>
Also, see the Spring AOP stuff at the bottom of this page:
http://cxf.apache.org/faq.html
Thank you again, Sergey!
- Dave
Sergey Beryozkin-2 wrote:
>
>
>
> Hi,
>
> I don't know the answer yet but hopefully I'll know soon enough, as
> I'm going to start working on a cxf jaxrs test/demo with the spring
> security
> Annotations involved.
>
> Thanks for posting the configuration sample. I have a couple of
> questions :
>
> - do you expect an authorization failure given that your spring security
> config allows an access for ROLE_USER while the @Secured annotation
> permits an access only to those in ROLE_ADMINISTRATOR
>
> - what happens when you combine both cxf.xml and
> applicationContext-security.xml in a single bean ?
>
> Cheers, Sergey
>
>
> -----Original Message-----
> From: dclane [mailto:[EMAIL PROTECTED]
> Sent: 03 December 2008 23:05
> To: [email protected]
> Subject: Spring Security annotations in CXF?
>
>
> I'm attempting to use Spring Security's @Secured method-level annotation
> in
> my project. Everything works fine in a sample Spring-only project, but
> the
> @Secured annotations appear to be ignored in my CXF project (I'm using
> JAX-RS and @Path method-level annotations).
>
> For now I'm using a form-based login; my authentication provider works
> properly and users are assigned GrantedAuthority roles, but all users
> are
> able to access my @Secured method/page regardless of their roles.
>
> I've looked to Spring forums for help, but no luck so far. Does
> anything
> look completely off-base?
>
> ------- cxf.xml -------
> <jaxrs:server id="services" address="/">
> <jaxrs:serviceBeans>
> <ref bean="myBean"/>
> </jaxrs:serviceBeans>
> </jaxrs:server>
> <bean id="myBean" class="com.company.service.MyService"/>
>
> ------- applicationContext-security.xml -------
> <global-method-security secured-annotations="enabled"
> jsr250-annotations="enabled"/>
>
> <http auto-config="true">
> <intercept-url pattern="/**" access="ROLE_USER"/>
> </http>
>
> <authentication-provider user-service-ref="myUserDetailsService"/>
> <beans:bean id="myUserDetailsService"
> class="com.company.service.web.auth.AuthenticationDetailsService"/>
>
> ------- MyService.java -------
> public class MyService{
> @GET
> @Path( "/myService/{id}.xml" )
> @ProduceMime( "application/xml" )
> @Secured( "ROLE_ADMINISTRATOR" )
> public Object getMyObject( @PathParam( "id" )
> String codeModuleName ) {
> // do stuff.
> }
> }
>
> Thank you for your time!
> - Dave
> --
> View this message in context:
> http://www.nabble.com/Spring-Security-annotations-in-CXF--tp20823712p208
> 23712.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
>
--
View this message in context:
http://www.nabble.com/Spring-Security-annotations-in-CXF--tp20823712p20838806.html
Sent from the cxf-user mailing list archive at Nabble.com.
