Hi
If all you need is to enforce RBAC with Spring security, then IMHO CXF
offers a much much simpler option,
http://cxf.apache.org/docs/security.html#Security-Authorization
Cheers, Sergey
On 12/04/13 14:01, Julio Carlos Barrera Juez wrote:
I have achieved some goals. I have attached two interceptors to my
JAX-RS server and it worked. I copied a interceptor from Internet and
modified it, the result is:
public class CXFSecurityContextProviderInterceptor extends
AbstractPhaseInterceptor<Message> {
public CXFSecurityContextProviderInterceptor() {
super(Phase.RECEIVE);
}
public void handleMessage(Message message) throws Fault {
final Authentication authentication =
message.getExchange().get(Authentication.class);
if (authentication != null && authentication.isAuthenticated()) {
message.put(SecurityContext.class, new SecurityContext() {
public Principal getUserPrincipal() {
return authentication;
}
public boolean isUserInRole(String role) {
Collection<GrantedAuthority> authorities = authentication.getAuthorities();
if (authorities != null) {
for (GrantedAuthority authority : authorities) {
if (role.equals(authority.getAuthority())) {
return true;
}
}
}
return false;
}
});
}
}
}
Now I realized that 'message' in this case has not an 'Authentication'
class attached in the 'Exchange' attribute of the message. I have read
that I need to add a filter that fulfils this field. I tried to find
information and I'm continuing trying it, but I have not found a
solution yet.
It seems so difficult to link Spring Security configuration with CXF!!
This is my simple Spring Security configuration:
<!-- Spring Security -->
<security:global-method-security secured-annotations="enabled" />
<security:http use-expressions="true">
<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
<security:http-basic />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="admin"
authorities="ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
On 10 April 2013 23:33, Jason Pell <[email protected]
<mailto:[email protected]>> wrote:
As long as you create a spring SecurityContext in cxf interceptor
and add
it to the spring security holder not sure how that works with jaxrs
but in
jaxws I just add a interceptor after authenticating.
Then you can use the acl stuff as Samuel suggested
On Apr 11, 2013 4:02 AM, "Samuel Quintana" <[email protected]
<mailto:[email protected]>> wrote:
> I'm not sure but you can use Spring Security ACL, in this case
you need
> filter at classes level, or interfaces from wouy SW.
>
> This post<
>
http://stackoverflow.com/questions/7481869/spring-security-how-acl-grants-permissions
> >can
> help you.
>
> Regards.
>
>
> 2013/4/10 Sergey Beryozkin <[email protected]
<mailto:[email protected]>>
>
> > Hi, I'm not sure you can link it without having a web
application, but
> > only an embedded Jetty server.
> > I guess you may want to ask on Spring Security forums how to
do, if you
> > find out something new, let us know please :-)
> > Sergey
> >
> > On 10/04/13 17:27, Julio Carlos Barrera Juez wrote:
> >
> >> I am able to attach a filter in a CXF Servlet in a Web
Application using
> >> configuration stored in /WEB-INF/web.xml:
> >>
> >> ...
> >>
> >> <filter>
> >> <filter-name>**springSecurityFilterChain</**filter-name>
> >>
> >> <filter-class>org.**springframework.web.filter.**
> >> DelegatingFilterProxy</filter-**class>
> >> </filter>
> >>
> >> <filter-mapping>
> >> <filter-name>**springSecurityFilterChain</**filter-name>
> >> <url-pattern>/*</url-pattern>
> >> </filter-mapping>
> >>
> >> ...
> >>
> >> It allows me to add Spring Security to CXF REST Web Services.
> >>
> >> I want to do exactly the same behaviour but in an standalone
CXF server,
> >> not in a Web Application (no web.xml at all!). I'm using Spring to
> >> configure my CXF server:
> >>
> >> ...
> >>
> >> <jaxrs:server id="helloService" address="/hello">
> >> <jaxrs:serviceBeans>
> >> <ref bean="serviceBean" />
> >> </jaxrs:serviceBeans>
> >> </jaxrs:server>
> >> <bean id="serviceBean" class="sec.Hello" />
> >>
> >> ...
> >>
> >> I don't know how to hook Spring Security to my CXF server. I
have not
> >> found
> >> any working example or documentation about linking Spring
Security and
> >> CXF.
> >>
> >>
> >
> >
>
