Hi
OAuthScopesFilter has to be initialized with either a ref to a bean
containing that method or initialized with a map (method to list of scopes).
Sergey
On 13/01/17 05:33, Nikhil Kakade wrote:
Hi,
I am using Apache cxf OAuth2 for securing my jax-rs APIs. I am using cxf
3.1.5 version. As per described in documentation here
<http://cxf.apache.org/docs/jax-rs-oauth2.html>
starting from Apache cxf 3.1.5 @Scopes can be used for more fined-grained
scope handling. I am successfully able to generate access token for
specific approved scope. when I try to access my API by using this token,
ideally it should not allow me to access API since it has different access
scope mentioned in @Scopes annotation. But its allowing me to access this
API.
This is my API:
@GET@Consumes(MediaType.APPLICATION_JSON)@Produces(MediaType.APPLICATION_JSON)@Path("/exportSheets")@Scopes("testScope1")@ConfidentialClientString
exportSheets(@QueryParam("userId") Integer userId);
This is access token which I am using to access this API
{
"tokenKey": "f2154782f82947318d1fc363e4309fa6",
"tokenType": "Bearer",
"expiresIn": 3600,
"issuedAt": -1,
"parameters": {},
"approvedScope": "read"
}
As you can see, token contains approvedScope as read where API has
testScope1. Even if this scopes are not matching, it's allowing me to
access my API.
This is test configuration I have done for creating server endpoint.
@Bean@DependsOn("cxf")public Server ornateTestAPIs(){
JAXRSServerFactoryBean factory=jaxRSServerFactory();
factory.setAddress("/test");
factory.setServiceBeans(Arrays.asList(testApis));
factory.setProviders(Arrays.asList(jsonProvider(), new
VcAPIExceptionMapper(), oauthRequestFilter(), oauthScopesFilter());
factory.setFeatures(Arrays.asList(swaggerFeature(), timingFeature));
factory.setInInterceptors(
Arrays.<Interceptor<? extends Message>>asList(new
JAXRSBeanValidationInInterceptor()));
factory.setOutInterceptors(
Arrays.<Interceptor<? extends Message>>asList(new
JAXRSBeanValidationOutInterceptor()));
return factory.create();}
public OAuthRequestFilter oauthRequestFilter(){
OAuthRequestFilter requestFilter=new OAuthRequestFilter();
requestFilter.setDataProvider(oAuthDataProviderImpl());
return requestFilter;}public OAuthScopesFilter oauthScopesFilter(){
return new OAuthScopesFilter();}
As you can see, I have added OAuthScopeFilter and OAuthRequestFilter in
providers. This is my pom
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-oauth2</artifactId>
<version>3.1.9</version></dependency><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-cors</artifactId>
<version>3.1.9</version></dependency><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-frontend-jaxrs</artifactId>
<version>3.1.5</version></dependency><dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-service-description</artifactId>
<version>3.1.5</version></dependency>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
