Injected JAX-RS javax.ws.rs.core.SecurityContext is null even JwtToken validation is successful

Tue, 24 Nov 2020 14:44:45 -0800 

Hi there

I've created the following simple JAX-RS implementation:

@Service
@Configuration
public class ApiServiceImpl implements DefaultApi {

    @Context
    SecurityContext securityContext;

   @Override
   public string sayHi(String name) {
       securityContext.getUserPrincipal()
   }
}


Within the method "sayHi",  I'd like to access the security context. On the one 
hand the standard JAX-RS Security context but also the JWTToken which includes 
claim attributes as well. So, the JWT token validation works fine. It's setup 
like this:

public class CxfSecurityConfig {

    @Autowired
    private Bus bus;

    @Autowired
    private DefaultApi apiService;

    @Bean
    public JwtAccessTokenValidator jwtAccessTokenValidator() {
        return new JwtAccessTokenValidator();
    }

    @Bean
    public OAuthRequestFilter oAuthRequestFilter(JwtAccessTokenValidator 
jwtTokenValidator) {
        final OAuthRequestFilter filter =  new OAuthRequestFilter();
        filter.setTokenValidator(jwtTokenValidator);
        filter.setAudience("urn:myaudience");
        return filter;
    }

   @Bean
    public Server rsServer(OAuthRequestFilter filter) {
        JAXRSServerFactoryBean endpoint = new JAXRSServerFactoryBean();
        endpoint.setBus(bus);

        endpoint.setServiceBeans(Arrays.<Object>asList(apiService));
        endpoint.setProviders(Arrays.<Object>asList(filter));

        Map<String, Object> props = new HashMap<>();
        props.put("rs.security.signature.properties", 
"sts.signature.properties");
        endpoint.setProperties(props);
        return endpoint.create();
    }
}

I have only found the following approach to get security context information:

        Message msg = PhaseInterceptorChain.getCurrentMessage();
        org.apache.cxf.security.SecurityContext sc = 
msg.get(org.apache.cxf.security.SecurityContext.class);

        System.out.println("SecurityContext.UserPrincipal: " + 
sc.getUserPrincipal());  // is null
        OAuthContext oauthContext = msg.getContent(OAuthContext.class);
        System.out.println("OAuthContext.Subject.Login: " + 
oauthContext.getSubject().getLogin());   //shows my user id
        System.out.println("OAuthContext.TokenRequestParts[1]: " + 
oauthContext.getTokenRequestParts()[1]);  //shows the JWT token

The only approach to get the claims of the JWT token is to parse it again like 
this:
        JoseJwtConsumer joseJwtConsumer = new JoseJwtConsumer();
        JwtToken t = 
joseJwtConsumer.getJwtToken(oauthContext.getTokenRequestParts()[1]);


IMHO, this should not be the approach to get this kind of information. What do 
you recommend?

Thanks
Oli

Reply via email to