On Wed, Feb 17, 2010 at 05:47, johnrock <[email protected]> wrote: > > > Sergey Beryozkin-2 wrote: >> >> Hi >> >> 'Injectable' is a custom interface used by the test and its only purpose >> is to ensure a JAXRS context instance (SecurityContext in >> this case) is injected properly, given that the actual resource class >> (SecureBookStore) is proxified by Spring. For cases like this >> one, having a custom utility interface like Injectable IMHO is better than >> adding methods like setSecurityContext on the application >> interfaces like SecureBookInterface. >> >> cheers, Sergey >> > > Thanks again for your help. I am still not able to get an authenticated user > to pass through a secured method on my webservice. Spring Security is > securing the method, but will not allow a user to enter that method even if > the user is currently logged in with the correct ROLES. > > My implementation seems pretty close to the Test example, however, my > 'beans.xml' is much simpler and my spring security context is different. I > am posting the cxf config, spring security config and my service bean > interface in hopes that maybe something that I am doing wrong will jump out > at you !
I think the best approach to solve this is to increase the log level for Spring Security and try to understand where the access is denied. > PS: I am passing the Context in to my method as a parameter thinking that is > neccessary since Spring creates singleton beans and I need a context per > request. Is that correct? Note that there are actually three classes called "SecurityContext": javax.ws.rs.core.SecurityContext, org.apache.cxf.security.SecurityContext and org.springframework.security.context.SecurityContext. Assuming that your code refers to javax.ws.rs.core.SecurityContext, this will definitely not work (out of the box), because CXF knows nothing about Spring Security and so would be unable to build a javax.ws.rs.core.SecurityContext instance. Some time ago I wrote a component [1] that translates a org.springframework.security.context.SecurityContext into a org.apache.cxf.security.SecurityContext. The JAX-RS front-end will then translate this into a javax.ws.rs.core.SecurityContext and inject this object if required. However, the interceptor assumes that the org.springframework.security.context.SecurityContext object is stored in the current Exchange. Thus, one would have to implement another interceptor to retrieve the context from Spring and add it to the current Exchange. With this, CXF should integrate nicely with Spring Security. Another option is to use a Spring specific API, namely SecurityContextHolder. Note that this does NOT use the singleton pattern, but a thread local, so that you have a different context per request. [1] Look for <ssec:cxf-security-context-provider-interceptor> in http://code.google.com/p/cxf-spring-security/wiki/Documentation > > cxf.xml > > > <?xml version="1.0" encoding="UTF-8"?> > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:jaxrs="http://cxf.apache.org/jaxrs"; > xmlns:cxf="http://cxf.apache.org/core"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans.xsd > http://cxf.apache.org/jaxrs > http://cxf.apache.org/schemas/jaxrs.xsd > http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd";> > > > <import resource="classpath:META-INF/cxf/cxf.xml"/> > <import > resource="classpath:META-INF/cxf/cxf-extension-jaxrs-binding.xml"/> > <import resource="classpath:META-INF/cxf/cxf-servlet.xml"/> > > > <!-- The service bean --> > <bean id="gatewayService" class="com.mg.webservice.GatewayServiceImpl"> > <property name="userDao" ref="userDao" /> > <property name="payloadService" ref="payloadService" /> > </bean> > > <jaxrs:server id="cxfgateway" address="/cxfgatewayaddress"> > <jaxrs:serviceBeans> > <ref bean="gatewayService"/> > </jaxrs:serviceBeans> > </beans> > > > security.xml > > > <beans:beans xmlns="http://www.springframework.org/schema/security"; > xmlns:beans="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > > http://www.springframework.org/schema/beans/spring-beans-2.5.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-2.0.4.xsd";> > > > <global-method-security secured-annotations="enabled" > access-decision-manager-ref="accessDecisionManager" /> > > <http auto-config="false" > access-decision-manager-ref="accessDecisionManager" > access-denied-page="/accessDenied.html" > entry-point-ref="authenticationProcessingFilterEntryPoint" > lowercase-comparisons="true" > session-fixation-protection="migrateSession"> > > > <intercept-url pattern="/favicon.ico" filters="none"/> > <intercept-url pattern="/css/*.css" filters="none"/> > <intercept-url pattern="/audio/*.*" filters="none"/> > <intercept-url pattern="/images/*.*" filters="none"/> > <intercept-url pattern="/images/*/*.*" filters="none"/> > <intercept-url pattern="/js/*.js" filters="none"/> > > .... > > <intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" /> > > <logout logout-success-url="/notLoggedIn.htm" logout-url > ="/mglogout" /> > <anonymous username="guest" granted-authority="ROLE_GUEST" /> > <concurrent-session-control max-sessions="1" /> > </http> > > > <authentication-manager alias="authenticationManager"/> > > <authentication-provider user-service-ref="userDao"> > <password-encoder ref="passwordEncoder" > > <salt-source user-property="getId"/> > </password-encoder> > </authentication-provider> > > <beans:bean id="passwordEncoder" > class="org.springframework.security.providers.encoding.Md5PasswordEncoder"> > </beans:bean> > > <beans:bean id="saltSource" > class="org.springframework.security.providers.dao.salt.ReflectionSaltSource"> > <beans:property name="userPropertyToUse" value="getId"/> > </beans:bean> > > > > <beans:bean id="authenticationProcessingFilter" > class="com.mg.security.mgAuthenticationProcessingFilter"> > <custom-filter position="AUTHENTICATION_PROCESSING_FILTER" /> > <beans:property name="filterProcessesUrl" value="/mglogin" /> > <beans:property name="defaultTargetUrl" value="/loggedIn.htm" > /> > <beans:property name="alwaysUseDefaultTargetUrl" value="true" > /> > <beans:property name="authenticationFailureUrl" > value="/loginfailure.htm" > /> > <beans:property name="authenticationManager" > ref="authenticationManager" > /> > <beans:property name="userSessionDao" ref="userSessionDao" /> > <beans:property name="notificationService" > ref="notificationService" /> > </beans:bean> > > <beans:bean id="authenticationProcessingFilterEntryPoint" > class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"> > <beans:property name="loginFormUrl" value="/login.htm" /> > <beans:property name="forceHttps" value="false" /> > </beans:bean> > > > <beans:bean id="accessDecisionManager" > class="org.springframework.security.vote.AffirmativeBased"> > <beans:property name="decisionVoters"> > <beans:list> > <beans:bean > class="org.springframework.security.vote.RoleVoter" /> > <beans:bean > class="org.springframework.security.vote.AuthenticatedVoter" /> > </beans:list> > </beans:property> > </beans:bean> > </beans:beans> > > > Service Interface: > > > @Path("/enter") > @Produces("application/XML") > public interface GatewayService { > > �...@get > �...@path("/recentQuestions/{firstResult}") > public List<Question> getRecentQuestions(@PathParam("firstResult") int > firstResult); > > �...@get > �...@path("/convo/{nId}/{qId}") > public ActiveDisplay readConversation (@PathParam("nId")Long nId, > @PathParam("qId")Long qId); > > > �...@get > �...@path("/payload") > �...@secured({"ROLE_USER","ROLE_ADMIN"}) > public Response makePayload(@Context SecurityContext securityContext, > @Context Request request, @Context HttpServletRequest httpServletRequest); > > } > > -- > View this message in context: > http://old.nabble.com/Is-it-possible-to-integrate-CXF-JAX-RS-with-Spring-Security-2.0.5---tp27587340p27619097.html > Sent from the cxf-user mailing list archive at Nabble.com. > >
