Hi
It appears OK, the actual configuration. I think the problem is Spring
Security related.
The actual authentication is OK, it is asserting the the authenticated
user is one of the roles does not work, may be you have an admin user
in which case it would explain why you have 403 (the configuration below
does not assign an admin role to users).
I've no other ideas...
Cheers, Sergey
On 20/03/15 16:10, Jari Fredriksson wrote:
I have created a RESTful service, and it work OK w/o authentication.
Trying to setup basic auth using Spring Security 3.2.6 on top of that.
The problem is that when when I have @Secured the services, the system
always tells me that "Forbidden".
For example this service:
@Path("/1.0/")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public interface WebService
{
/**
* Can be used to test the connection and service.
*
* @return Response with message: pong
*/
@GET
@Path("/ping")
@Secured({"ROLE_TMR", "ROLE_ADMIN"})
public Response ping();
will return Forbidden always, and the browser does not request any
credentials. It thing something is blocking the basic auth in this setup.
Setup:
Liferay 6.2 on Tomcat 7.2
The security is configured in beans.xml like this:
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxrs="http://cxf.apache.org/jaxrs";
xmlns:aop="http://www.springframework.org/schema/aop";
xmlns:security="http://www.springframework.org/schema/security";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd";>
<import resource="classpath:META-INF/cxf/cxf.xml"/>
<import resource="classpath:META-INF/cxf/cxf-servlet.xml"/>
<jaxrs:server id="webservice" address="/">
<jaxrs:serviceBeans>
<ref bean="webservice10"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<bean class="fi.dise.ws.SecurityExceptionMapper"/>
<bean
class="com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider"/>
</jaxrs:providers>
</jaxrs:server>
<bean id="webservice10" class="fi.dise.ws.WebServiceImpl" />
<!--
<bean
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
id="passwordEncoder"/>
-->
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<security:http-basic/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<!-- it is possible to md5 encode these passwords, or use a
SQL backed or a custom bean for this. -->
<!-- <security:password-encoder ref="passwordEncoder"/> -->
<security:user-service>
<security:user name="tmr" password="xxxx"
authorities="ROLE_TMR"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
Any ideas? The config should be OK, but does not work when the security
is uncommented like this. Could Liferay or Tomcat somehow cause this?
