Sure - please create a patch
Thanks, Sergey
On 17/03/15 04:20, Mark Ford wrote:
You're correct in that it'll work with the lookup-method or the
ApplicationContextAware approach [1]. Neither of these two options are
great. The ApplicationContextAware approach pollutes the source with Spring
and the lookup-method has the air of dark magic to it. I realize the
"proxification" is what's making the Transactional and PreAuthorize work
but changing my services to be abstract classes and specifying a method
name in the Spring config to override is a little unnerving.
Do you think it's worth updating the exiting spring example in CXF to
demonstrate the lookup-method? I'll get around to adding an issue and a
patch for it if you agree.
[1]
http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#beans-factory-method-injection
On Mon, Mar 16, 2015 at 5:14 PM, Sergey Beryozkin <[email protected]>
wrote:
I vaguely recall you need to introduce a Spring lookup method property
pointing to a subresource locator method for SpringSecurity to proxify it...
Cheers, Sergey
On 16/03/15 17:57, Mark Ford wrote:
I'm using Spring Security with annotations. I have the following config
enabled in my context:
<sec:global-method-security pre-post-annotations="enabled"/>
As a result, all of my JAX-RS service interfaces annotated with
PreAuthorize pass through Spring Security and all is well. However, I'm
not
able to get the PreAuthorize annotations on my sub-resources to fire. I
suspect that this is because the sub-resources are created on the fly from
their parent resource and thus do not get the benefit of Spring's security
proxy.
CXF-2709 [1] described a very similar issue and is marked as closed but I
don't see an example of how to get this to work. I followed the
CustomJAXRSInvoker [2] example and effectively recreated portions of
Spring
Security in my own custom invoker. While this works, it doesn't seem like
the right approach. It would be great if the spring-security example [3]
was updated slightly to show a security annotation on a sub-resource.
My current workaround is as follows:
- comment out the global-method-security element because the JAXRS Invoker
is going to be doing this work for resource and sub-resources
- configure a custom subclass of JAXRSInvoker as the jaxrs:invoker for the
container
- have the invoker delegate to an instance of a
PreInvocationAuthorizationAdviceVoter in pretty much the same way as is
done in Spring Security.
- this custom invoker will be invoked for every resource *and*
sub-resource.
Thanks in advance for any feedback. Seems like I'm missing something basic
here.
[1] https://issues.apache.org/jira/browse/CXF-2709
[2]
http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/
src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
[3]
http://svn.apache.org/repos/asf/cxf/trunk/distribution/
src/main/release/samples/jax_rs/spring_security/
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
