Hi Hope https://issues.apache.org/jira/browse/OPENEJB-2064 helps, any feedback using the snapshot would be welcomed! Romain Manni-Bucau Twitter: @rmannibucau Blog: http://rmannibucau.wordpress.com/ LinkedIn: http://fr.linkedin.com/in/rmannibucau Github: https://github.com/rmannibucau
2013/12/28 Romain Manni-Bucau <[email protected]>: > I know we have something weird on one @XAll at class level, if you can write > a unit test ill try to check > > Le 28 déc. 2013 11:09, "Matej" <[email protected]> a écrit : > >> Implemented the CXF filter. I am pasting the code if someone needs it. It >> works great. But I notice something strange when testing. Maybe a Tomee >> bug, don't know. >> >> I thought that a method Attribute overrides the class attributes. That's >> how I implemented the filter. Meaning if I set @DenyAll on the class, and >> @AllowAll on the REST method, the method should still be accesible. I am >> not 100% sure, but that's how i think how it works on GF. >> >> BR >> >> MAtej >> >> >> >> >> public class AuthorizationRequestHandler implements RequestHandler { >> >> @Context >> private SecurityContext securityContext; >> >> @Override >> public Response handleRequest(Message msg, ClassResourceInfo cri) { >> >> if (!hasUserAccess(msg, cri)) { >> return Response.status(Response.Status.UNAUTHORIZED).build(); >> } >> >> return null; >> } >> >> public boolean hasUserAccess(Message msg, ClassResourceInfo cri) { >> >> /* >> * Check method attributes >> */ >> Method method = >> msg.getExchange().get(OperationResourceInfo.class).getAnnotatedMethod(); >> if (method.getAnnotation(DenyAll.class) != null) { >> return false; >> } >> >> if (method.getAnnotation(PermitAll.class) != null) { >> return true; >> } >> >> RolesAllowed raMethod = method.getAnnotation(RolesAllowed.class); >> if (raMethod != null) { >> for (String role : raMethod.value()) { >> if (securityContext.isUserInRole(role)) { >> return true; >> } >> } >> return false; >> } >> /* >> * Check class attributes >> */ >> Class<?> resourceClass = cri.getResourceClass(); >> if (resourceClass.getAnnotation(DenyAll.class) != null) { >> return false; >> } >> >> if (resourceClass.getAnnotation(PermitAll.class) != null) { >> return true; >> } >> >> RolesAllowed raClass = >> resourceClass.getAnnotation(RolesAllowed.class); >> if (raClass != null) { >> for (String role : raClass.value()) { >> if (securityContext.isUserInRole(role)) { >> return true; >> } >> } >> return false; >> } >> return true; >> } >> } >> >> >> 2013/12/27 Romain Manni-Bucau <[email protected]> >> >> > Hmm, i didnt test but check using Exception what's the exact type, >> > wrapping >> > sometimes leads to surprises. >> > >> > Side note: a filter would work in all cases. >> > Le 27 déc. 2013 21:25, "Matej" <[email protected]> a écrit : >> > >> > > Hello Romain. >> > > >> > > I tried with something like this: >> > > >> > > >> > > @Provider >> > > public class EjbAccessExceptionMapper implements >> > > ExceptionMapper<EJBAccessException> { >> > > >> > > @Override >> > > public Response toResponse(EJBAccessException t) { >> > > return >> > > Response.status(Status.BAD_REQUEST).entity(t.getMessage()).build(); >> > > } >> > > } >> > > >> > > >> > > But I don't tnik the Error message is returned from the REST /CXF >> > > domain. >> > > >> > > javax.servlet.ServletException: Error processing webservice request >> > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:59) >> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) >> > > >> > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) >> > > >> > > *root cause* >> > > >> > > java.lang.RuntimeException: org.apache.cxf.interceptor.Fault: >> > > Unauthorized Access by Principal Denied while invoking public >> > > javax.ws.rs.core.Response >> > > >> > > >> > >> > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:116) >> > > >> > > >> > >> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:322) >> > > >> > > >> > >> > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) >> > > >> > > >> > >> > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237) >> > > >> > > >> > >> > org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170) >> > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53) >> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) >> > > >> > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) >> > > >> > > *root cause* >> > > >> > > org.apache.cxf.interceptor.Fault: Unauthorized Access by Principal >> > > Denied while invoking public >> > > javax.ws.rs.core.Response.getEmployeeTimesheet(long,long) with params >> > > [0, 0]. >> > > >> > > >> > >> > org.apache.cxf.service.invoker.AbstractInvoker.createFault(AbstractInvoker.java:166) >> > > >> > > >> > >> > org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:140) >> > > >> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:165) >> > > >> > > >> > >> > org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.invoke(OpenEJBEJBInvoker.java:67) >> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:89) >> > > >> > > >> > >> > org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:63) >> > > >> > > >> > >> > org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) >> > > >> > > >> > >> > org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93) >> > > >> > > >> > >> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) >> > > >> > > >> > >> > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) >> > > >> > > >> > >> > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237) >> > > >> > > >> > >> > org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170) >> > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53) >> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) >> > > >> > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) >> > > >> > > *root cause* >> > > >> > > javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied >> > > >> > > >> > >> > org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:158) >> > > >> > > >> > > org.apache.openejb.util.proxy.ProxyEJB$Handler.invoke(ProxyEJB.java:73) >> > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> > > >> > > >> > >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> > > >> > > >> > >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> > > java.lang.reflect.Method.invoke(Method.java:606) >> > > >> > > >> > >> > org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.performInvocation(OpenEJBEJBInvoker.java:93) >> > > >> > > >> > >> > org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) >> > > >> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:165) >> > > >> > > >> > >> > org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.invoke(OpenEJBEJBInvoker.java:67) >> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:89) >> > > >> > > >> > >> > org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:63) >> > > >> > > >> > >> > org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) >> > > >> > > >> > >> > org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93) >> > > >> > > >> > >> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) >> > > >> > > >> > >> > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) >> > > >> > > >> > >> > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237) >> > > >> > > >> > >> > org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170) >> > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53) >> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) >> > > >> > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) >> > > >> > > >> > > >> > > 2013/12/27 Romain Manni-Bucau <[email protected]> >> > > >> > > > Hi >> > > > >> > > > I'd add a custom ExceptionMapper or Filter. >> > > > Le 27 déc. 2013 20:31, "Matej" <[email protected]> a écrit : >> > > > >> > > > > Hello everyone. >> > > > > >> > > > > Anybody knows how to make Tomee/cxf return a forbidden HTTP status >> > code >> > > > 401 >> > > > > or 403 instead of this: >> > > > > >> > > > > STATUS 500 >> > > > > >> > > > > java.lang.RuntimeException: org.apache.cxf.interceptor.Fault: >> > > > > Unauthorized Access by Principal Denied >> > > > > >> > > > > I manage to do this in glassfish using this: >> > > > > >> > > > > <init-param> >> > > > > >> > > > > >> > > > > <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name> >> > > > > >> > > > > >> > > > >> > > >> > >> > <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value> >> > > > > </init-param> >> > > > > >> > > > > But Tomee is currently new-land for me. >> > > > > >> > > > > BR >> > > > > >> > > > > Matej >> > > > > >> > > > >> > > >> >
