Thank you Sergey, it worked for me. On Fri, Jan 13, 2017 at 11:27 PM, Sergey Beryozkin <[email protected]> wrote:
> Hi > > OAuthScopesFilter has to be initialized with either a ref to a bean > containing that method or initialized with a map (method to list of scopes). > > Sergey > On 13/01/17 05:33, Nikhil Kakade wrote: > >> Hi, >> >> I am using Apache cxf OAuth2 for securing my jax-rs APIs. I am using cxf >> 3.1.5 version. As per described in documentation here >> <http://cxf.apache.org/docs/jax-rs-oauth2.html> >> >> starting from Apache cxf 3.1.5 @Scopes can be used for more fined-grained >> scope handling. I am successfully able to generate access token for >> specific approved scope. when I try to access my API by using this token, >> ideally it should not allow me to access API since it has different access >> scope mentioned in @Scopes annotation. But its allowing me to access this >> API. >> >> This is my API: >> >> @GET@Consumes(MediaType.APPLICATION_JSON)@Produces(MediaType >> .APPLICATION_JSON)@Path("/exportSheets")@Scopes("testSco >> pe1")@ConfidentialClientString >> exportSheets(@QueryParam("userId") Integer userId); >> >> This is access token which I am using to access this API >> >> { >> "tokenKey": "f2154782f82947318d1fc363e4309fa6", >> "tokenType": "Bearer", >> "expiresIn": 3600, >> "issuedAt": -1, >> "parameters": {}, >> "approvedScope": "read" >> } >> >> As you can see, token contains approvedScope as read where API has >> testScope1. Even if this scopes are not matching, it's allowing me to >> access my API. >> >> This is test configuration I have done for creating server endpoint. >> >> @Bean@DependsOn("cxf")public Server ornateTestAPIs(){ >> >> JAXRSServerFactoryBean factory=jaxRSServerFactory(); >> >> factory.setAddress("/test"); >> >> factory.setServiceBeans(Arrays.asList(testApis)); >> factory.setProviders(Arrays.asList(jsonProvider(), new >> VcAPIExceptionMapper(), oauthRequestFilter(), oauthScopesFilter()); >> factory.setFeatures(Arrays.asList(swaggerFeature(), timingFeature)); >> factory.setInInterceptors( >> Arrays.<Interceptor<? extends Message>>asList(new >> JAXRSBeanValidationInInterceptor())); >> factory.setOutInterceptors( >> Arrays.<Interceptor<? extends Message>>asList(new >> JAXRSBeanValidationOutInterceptor())); >> return factory.create();} >> public OAuthRequestFilter oauthRequestFilter(){ >> OAuthRequestFilter requestFilter=new OAuthRequestFilter(); >> requestFilter.setDataProvider(oAuthDataProviderImpl()); >> return requestFilter;}public OAuthScopesFilter oauthScopesFilter(){ >> return new OAuthScopesFilter();} >> >> As you can see, I have added OAuthScopeFilter and OAuthRequestFilter in >> providers. This is my pom >> >> <dependency> >> <groupId>org.apache.cxf</groupId> >> <artifactId>cxf-rt-rs-security-oauth2</artifactId> >> <version>3.1.9</version></dependency><dependency> >> <groupId>org.apache.cxf</groupId> >> <artifactId>cxf-rt-rs-security-cors</artifactId> >> <version>3.1.9</version></dependency><dependency> >> <groupId>org.apache.cxf</groupId> >> <artifactId>cxf-rt-frontend-jaxrs</artifactId> >> <version>3.1.5</version></dependency><dependency> >> <groupId>org.apache.cxf</groupId> >> <artifactId>cxf-rt-rs-service-description</artifactId> >> <version>3.1.5</version></dependency> >> >> >> > > -- > Sergey Beryozkin > > Talend Community Coders > http://coders.talend.com/ > -- Best regards, Nikhil Kakade Software Engineer
