Hi Dave
I'm ecstatic it works for you too ! I'm just perusing the Spring Security docs
at the moment and thinking
how on earth I'm going to write a system test amd then yourself came in and
told how things should be done :-), magic !
few comments/questions
Hi Sergey,
I did expect authorization to fail, but the @Secured annotation did not
block unauthorized users.
Thank you for suggesting that I try combining cxf.xml and
applicationContext-security.xml; doing so led me down the proper path. I
assume there was a problem with scope/context in applying security to beans
defined in a separate config file?
Possibly - once I have a system test working with the combined configuration, I will give a try and do
multiple configurations and try to get to the bottom of it...
After combining the two config files, I had to add ASM and CGLIB2 jars to my
project (I used cglib-2.1.3; 2.0 did not work for some reason). I also had
to add an <aop:scoped-proxy/> tag to my secured bean definition and add an
<aop:aspectj-autoproxy> element to my cxf.xml (see below). I also made a
reference to the bean using instructions I found in the CXF user's guide to
specify the actual serviceClass on my JAX-WS server definition (since using
Spring AOP stuff injects a proxy to the bean, which won't include method
annotations). I kept the reference to my bean in the JAX-RS server
definition as well, and security now works for both types of service.
So you're combining both JAXWS and JAXRS...ok. Looks like you have a fairly
advanced service being setup and working so it's good.
If you don't add the <aop:scoped-proxy> and <aop:aspectj-autoproxy> tags,
you'll encounter an error: "object is not an instance of declaring class."
The only problem I'm noticing right now is that method overloading doesn't
work when using Spring's AOP stuff. That's not a big deal, though, and
right now I'm just ecstatic that spring-security is working.
Is it on a JAXRS or JAXWS invocation path ? Can you post a sample java code please for
"myServiceBean" ?
Here's the setup that works for me:
------- cxf.xml -------
<jaxws:server id="myService" serviceBean="#myServiceBean"
address="/myService"/>
<jaxrs:server id="services" address="/myRSService">
<jaxrs:serviceBeans>
<ref bean="myServiceBean" />
</jaxrs:serviceBeans>
</jaxrs:server>
<bean id="provisioningBean" class="com.company.MyService">
<aop:scoped-proxy/>
</bean>
Is 'provisioningBean' different to myServiceBean ?
Also, see the Spring AOP stuff at the bottom of this page:
http://cxf.apache.org/faq.html
Thank you again, Sergey!
You're welcome and thanks for sharing this configuration with us...
Cheers, Sergey
- Dave
Sergey Beryozkin-2 wrote:
Hi,
I don't know the answer yet but hopefully I'll know soon enough, as
I'm going to start working on a cxf jaxrs test/demo with the spring
security
Annotations involved.
Thanks for posting the configuration sample. I have a couple of
questions :
- do you expect an authorization failure given that your spring security
config allows an access for ROLE_USER while the @Secured annotation
permits an access only to those in ROLE_ADMINISTRATOR
- what happens when you combine both cxf.xml and
applicationContext-security.xml in a single bean ?
Cheers, Sergey
-----Original Message-----
From: dclane [mailto:[EMAIL PROTECTED]
Sent: 03 December 2008 23:05
To: [email protected]
Subject: Spring Security annotations in CXF?
I'm attempting to use Spring Security's @Secured method-level annotation
in
my project. Everything works fine in a sample Spring-only project, but
the
@Secured annotations appear to be ignored in my CXF project (I'm using
JAX-RS and @Path method-level annotations).
For now I'm using a form-based login; my authentication provider works
properly and users are assigned GrantedAuthority roles, but all users
are
able to access my @Secured method/page regardless of their roles.
I've looked to Spring forums for help, but no luck so far. Does
anything
look completely off-base?
------- cxf.xml -------
<jaxrs:server id="services" address="/">
<jaxrs:serviceBeans>
<ref bean="myBean"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<bean id="myBean" class="com.company.service.MyService"/>
------- applicationContext-security.xml -------
<global-method-security secured-annotations="enabled"
jsr250-annotations="enabled"/>
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_USER"/>
</http>
<authentication-provider user-service-ref="myUserDetailsService"/>
<beans:bean id="myUserDetailsService"
class="com.company.service.web.auth.AuthenticationDetailsService"/>
------- MyService.java -------
public class MyService{
@GET
@Path( "/myService/{id}.xml" )
@ProduceMime( "application/xml" )
@Secured( "ROLE_ADMINISTRATOR" )
public Object getMyObject( @PathParam( "id" )
String codeModuleName ) {
// do stuff.
}
}
Thank you for your time!
- Dave
--
View this message in context:
http://www.nabble.com/Spring-Security-annotations-in-CXF--tp20823712p208
23712.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
View this message in context:
http://www.nabble.com/Spring-Security-annotations-in-CXF--tp20823712p20838806.html
Sent from the cxf-user mailing list archive at Nabble.com.
