Hi
I'm not a Spring Security practitioner so I'm afraid I can not be of much help here, perhaps experts like Andreas and others can
advise something but you may be better off asking it on the Spring Security forum...
One thing that I noticed is that you use URI patterns in the configuration but also @Secured in the actual resource. Can it
actually work ? I'm not sure about it...Also, I'm assuming you've added a Spring Security filter to the web.xml...
cheers, Sergey
Sergey Beryozkin-2 wrote:
Hi
'Injectable' is a custom interface used by the test and its only purpose
is to ensure a JAXRS context instance (SecurityContext in
this case) is injected properly, given that the actual resource class
(SecureBookStore) is proxified by Spring. For cases like this
one, having a custom utility interface like Injectable IMHO is better than
adding methods like setSecurityContext on the application
interfaces like SecureBookInterface.
cheers, Sergey
Thanks again for your help. I am still not able to get an authenticated user
to pass through a secured method on my webservice. Spring Security is
securing the method, but will not allow a user to enter that method even if
the user is currently logged in with the correct ROLES.
My implementation seems pretty close to the Test example, however, my
'beans.xml' is much simpler and my spring security context is different. I
am posting the cxf config, spring security config and my service bean
interface in hopes that maybe something that I am doing wrong will jump out
at you !
PS: I am passing the Context in to my method as a parameter thinking that is
neccessary since Spring creates singleton beans and I need a context per
request. Is that correct?
cxf.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxrs="http://cxf.apache.org/jaxrs";
xmlns:cxf="http://cxf.apache.org/core";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd";>
<import resource="classpath:META-INF/cxf/cxf.xml"/>
<import
resource="classpath:META-INF/cxf/cxf-extension-jaxrs-binding.xml"/>
<import resource="classpath:META-INF/cxf/cxf-servlet.xml"/>
<!-- The service bean -->
<bean id="gatewayService" class="com.mg.webservice.GatewayServiceImpl">
<property name="userDao" ref="userDao" />
<property name="payloadService" ref="payloadService" />
</bean>
<jaxrs:server id="cxfgateway" address="/cxfgatewayaddress">
<jaxrs:serviceBeans>
<ref bean="gatewayService"/>
</jaxrs:serviceBeans>
</beans>
security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security";
xmlns:beans="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.4.xsd";>
<global-method-security secured-annotations="enabled"
access-decision-manager-ref="accessDecisionManager" />
<http auto-config="false"
access-decision-manager-ref="accessDecisionManager"
access-denied-page="/accessDenied.html"
entry-point-ref="authenticationProcessingFilterEntryPoint"
lowercase-comparisons="true"
session-fixation-protection="migrateSession">
<intercept-url pattern="/favicon.ico" filters="none"/>
<intercept-url pattern="/css/*.css" filters="none"/>
<intercept-url pattern="/audio/*.*" filters="none"/>
<intercept-url pattern="/images/*.*" filters="none"/>
<intercept-url pattern="/images/*/*.*" filters="none"/>
<intercept-url pattern="/js/*.js" filters="none"/>
....
<intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
<logout logout-success-url="/notLoggedIn.htm" logout-url
="/mglogout" />
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<concurrent-session-control max-sessions="1" />
</http>
<authentication-manager alias="authenticationManager"/>
<authentication-provider user-service-ref="userDao">
<password-encoder ref="passwordEncoder" >
<salt-source user-property="getId"/>
</password-encoder>
</authentication-provider>
<beans:bean id="passwordEncoder"
class="org.springframework.security.providers.encoding.Md5PasswordEncoder">
</beans:bean>
<beans:bean id="saltSource"
class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
<beans:property name="userPropertyToUse" value="getId"/>
</beans:bean>
<beans:bean id="authenticationProcessingFilter"
class="com.mg.security.mgAuthenticationProcessingFilter">
<custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
<beans:property name="filterProcessesUrl" value="/mglogin" />
<beans:property name="defaultTargetUrl" value="/loggedIn.htm" />
<beans:property name="alwaysUseDefaultTargetUrl" value="true" />
<beans:property name="authenticationFailureUrl" value="/loginfailure.htm"
/>
<beans:property name="authenticationManager" ref="authenticationManager"
/>
<beans:property name="userSessionDao" ref="userSessionDao" />
<beans:property name="notificationService" ref="notificationService" />
</beans:bean>
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/login.htm" />
<beans:property name="forceHttps" value="false" />
</beans:bean>
<beans:bean id="accessDecisionManager"
class="org.springframework.security.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean
class="org.springframework.security.vote.RoleVoter" />
<beans:bean
class="org.springframework.security.vote.AuthenticatedVoter" />
</beans:list>
</beans:property>
</beans:bean>
</beans:beans>
Service Interface:
@Path("/enter")
@Produces("application/XML")
public interface GatewayService {
@GET
@Path("/recentQuestions/{firstResult}")
public List<Question> getRecentQuestions(@PathParam("firstResult") int
firstResult);
@GET
@Path("/convo/{nId}/{qId}")
public ActiveDisplay readConversation (@PathParam("nId")Long nId,
@PathParam("qId")Long qId);
@GET
@Path("/payload")
@Secured({"ROLE_USER","ROLE_ADMIN"})
public Response makePayload(@Context SecurityContext securityContext,
@Context Request request, @Context HttpServletRequest httpServletRequest);
}
--
View this message in context:
http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27619097.html
Sent from the cxf-user mailing list archive at Nabble.com.
