Hi,
We are currently using the CXF JAXRSServerFactoryBean (Version 2.7.14) to
dynamically create REST endpoints in an OSGI environment (Felix). The
endpoints are secured with BASIC auth using a JAAS Interceptor. Simplified
code snippet:
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
sf.setResourceClasses(CustomerService.class);
sf.setResourceProvider(CustomerService.class, new SingletonResourceProvider(
new CustomerService()));
sf.setAddress("http://localhost:9000/";);
Properties properties = System.getProperties();
properties.setProperty("java.security.auth.login.config",
"./src/main/java/demo/jaxrs/server/jaas.cfg");
List<Object> providers = *(List<Object>) sf.getProviders()*;
JAASAuthenticationFilter authenticationFilter = new
JAASAuthenticationFilter();
authenticationFilter.setContextName("BookLogin");
providers.add(authenticationFilter);
sf.setProviders(providers);
sf.create();
A new requirement is to enable session cookies for this authentication
type. Currently, each request requires a full authentication (user/pw
check). Using session cookies, we would have only one full authentication
at the beginning of a user session and afterwards the session cookie is
used instead (until invalid).
I managed to enable session management by creating a server
programmatically with a spring security filter in place. I used the
following tutorial with some modifications:
https://www.javacodegeeks.com/2014/09/embedded-jetty-and-apache-cxf-secure-rest-services-with-spring-security.html.
Code example (without the custum AppConfig+ WebSecurityConfigurerAdapter!):
Server server = new Server(8080);
ServletHolder servletHolder = new ServletHolder(new CXFServlet());
ServletContextHandler context = new ServletContextHandler();
context.setContextPath("/");
context.addServlet(servletHolder, "/rest/*");
context.addEventListener(new ContextLoaderListener());
context.setInitParameter("contextClass",
AnnotationConfigWebApplicationContext.class.getName());
context.setInitParameter("contextConfigLocation", AppConfig.class
.getName());
context.setInitParameter("org.eclipse.jetty.servlet.SessionCookie",
"MYSESSIONID");
context.setInitParameter(
"org.eclipse.jetty.servlet.SessionIdPathParameterNam", "mysessionid");
context.addFilter(new FilterHolder(new DelegatingFilterProxy(
"springSecurityFilterChain")), "/*",EnumSet.allOf(DispatcherType.class));
HashSessionManager sm = new HashSessionManager();
context.setSessionHandler(new SessionHandler(sm));
server.setHandler(context);
server.start();
Either way would be fine for us as long as we eventually have: (1) Session
Cookies enabled + (2) Dynamic asynchronous REST endpoint creation with in a
single server.
Unfortunately, I was not able to make session management + spring security
work for the JAXRSServerFactoryBean approach, nor could I find a way to
dynamically create additional endpoints using the server-based approach.
Can anyone help with this? Further hints on how to proceed with either way
are highly appreciated.
Regards,
Chris
