I have achieved some goals. I have attached two interceptors to my JAX-RS
server and it worked. I copied a interceptor from Internet and modified it,
the result is:
public class CXFSecurityContextProviderInterceptor extends
AbstractPhaseInterceptor<Message> {
public CXFSecurityContextProviderInterceptor() {
super(Phase.RECEIVE);
}
public void handleMessage(Message message) throws Fault {
final Authentication authentication =
message.getExchange().get(Authentication.class);
if (authentication != null && authentication.isAuthenticated()) {
message.put(SecurityContext.class, new SecurityContext() {
public Principal getUserPrincipal() {
return authentication;
}
public boolean isUserInRole(String role) {
Collection<GrantedAuthority> authorities = authentication.getAuthorities();
if (authorities != null) {
for (GrantedAuthority authority : authorities) {
if (role.equals(authority.getAuthority())) {
return true;
}
}
}
return false;
}
});
}
}
}
Now I realized that 'message' in this case has not an 'Authentication'
class attached in the 'Exchange' attribute of the message. I have read that
I need to add a filter that fulfils this field. I tried to find information
and I'm continuing trying it, but I have not found a solution yet.
It seems so difficult to link Spring Security configuration with CXF!!
This is my simple Spring Security configuration:
<!-- Spring Security -->
<security:global-method-security secured-annotations="enabled" />
<security:http use-expressions="true">
<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
<security:http-basic />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="admin"
authorities="ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
On 10 April 2013 23:33, Jason Pell <[email protected]> wrote:
> As long as you create a spring SecurityContext in cxf interceptor and add
> it to the spring security holder not sure how that works with jaxrs but in
> jaxws I just add a interceptor after authenticating.
>
> Then you can use the acl stuff as Samuel suggested
> On Apr 11, 2013 4:02 AM, "Samuel Quintana" <[email protected]> wrote:
>
> > I'm not sure but you can use Spring Security ACL, in this case you need
> > filter at classes level, or interfaces from wouy SW.
> >
> > This post<
> >
> http://stackoverflow.com/questions/7481869/spring-security-how-acl-grants-permissions
> > >can
> > help you.
> >
> > Regards.
> >
> >
> > 2013/4/10 Sergey Beryozkin <[email protected]>
> >
> > > Hi, I'm not sure you can link it without having a web application, but
> > > only an embedded Jetty server.
> > > I guess you may want to ask on Spring Security forums how to do, if you
> > > find out something new, let us know please :-)
> > > Sergey
> > >
> > > On 10/04/13 17:27, Julio Carlos Barrera Juez wrote:
> > >
> > >> I am able to attach a filter in a CXF Servlet in a Web Application
> using
> > >> configuration stored in /WEB-INF/web.xml:
> > >>
> > >> ...
> > >>
> > >> <filter>
> > >> <filter-name>**springSecurityFilterChain</**filter-name>
> > >>
> > >> <filter-class>org.**springframework.web.filter.**
> > >> DelegatingFilterProxy</filter-**class>
> > >> </filter>
> > >>
> > >> <filter-mapping>
> > >> <filter-name>**springSecurityFilterChain</**filter-name>
> > >> <url-pattern>/*</url-pattern>
> > >> </filter-mapping>
> > >>
> > >> ...
> > >>
> > >> It allows me to add Spring Security to CXF REST Web Services.
> > >>
> > >> I want to do exactly the same behaviour but in an standalone CXF
> server,
> > >> not in a Web Application (no web.xml at all!). I'm using Spring to
> > >> configure my CXF server:
> > >>
> > >> ...
> > >>
> > >> <jaxrs:server id="helloService" address="/hello">
> > >> <jaxrs:serviceBeans>
> > >> <ref bean="serviceBean" />
> > >> </jaxrs:serviceBeans>
> > >> </jaxrs:server>
> > >> <bean id="serviceBean" class="sec.Hello" />
> > >>
> > >> ...
> > >>
> > >> I don't know how to hook Spring Security to my CXF server. I have not
> > >> found
> > >> any working example or documentation about linking Spring Security and
> > >> CXF.
> > >>
> > >>
> > >
> > >
> >
>
