Hello Romain. I needed some time to compile the source.
Tried to read your changes, but could not understand them 100%.Never-mind:), it seems to be working perfectly. This change will be in the 1.6.1 release? Thank you allot. BR Matej 2013/12/28 Romain Manni-Bucau <[email protected]> > Hi > > Hope https://issues.apache.org/jira/browse/OPENEJB-2064 helps, any > feedback using the snapshot would be welcomed! > Romain Manni-Bucau > Twitter: @rmannibucau > Blog: http://rmannibucau.wordpress.com/ > LinkedIn: http://fr.linkedin.com/in/rmannibucau > Github: https://github.com/rmannibucau > > > > 2013/12/28 Romain Manni-Bucau <[email protected]>: > > I know we have something weird on one @XAll at class level, if you can > write > > a unit test ill try to check > > > > Le 28 déc. 2013 11:09, "Matej" <[email protected]> a écrit : > > > >> Implemented the CXF filter. I am pasting the code if someone needs it. > It > >> works great. But I notice something strange when testing. Maybe a Tomee > >> bug, don't know. > >> > >> I thought that a method Attribute overrides the class attributes. That's > >> how I implemented the filter. Meaning if I set @DenyAll on the class, > and > >> @AllowAll on the REST method, the method should still be accesible. I am > >> not 100% sure, but that's how i think how it works on GF. > >> > >> BR > >> > >> MAtej > >> > >> > >> > >> > >> public class AuthorizationRequestHandler implements RequestHandler { > >> > >> @Context > >> private SecurityContext securityContext; > >> > >> @Override > >> public Response handleRequest(Message msg, ClassResourceInfo cri) { > >> > >> if (!hasUserAccess(msg, cri)) { > >> return > Response.status(Response.Status.UNAUTHORIZED).build(); > >> } > >> > >> return null; > >> } > >> > >> public boolean hasUserAccess(Message msg, ClassResourceInfo cri) { > >> > >> /* > >> * Check method attributes > >> */ > >> Method method = > >> msg.getExchange().get(OperationResourceInfo.class).getAnnotatedMethod(); > >> if (method.getAnnotation(DenyAll.class) != null) { > >> return false; > >> } > >> > >> if (method.getAnnotation(PermitAll.class) != null) { > >> return true; > >> } > >> > >> RolesAllowed raMethod = > method.getAnnotation(RolesAllowed.class); > >> if (raMethod != null) { > >> for (String role : raMethod.value()) { > >> if (securityContext.isUserInRole(role)) { > >> return true; > >> } > >> } > >> return false; > >> } > >> /* > >> * Check class attributes > >> */ > >> Class<?> resourceClass = cri.getResourceClass(); > >> if (resourceClass.getAnnotation(DenyAll.class) != null) { > >> return false; > >> } > >> > >> if (resourceClass.getAnnotation(PermitAll.class) != null) { > >> return true; > >> } > >> > >> RolesAllowed raClass = > >> resourceClass.getAnnotation(RolesAllowed.class); > >> if (raClass != null) { > >> for (String role : raClass.value()) { > >> if (securityContext.isUserInRole(role)) { > >> return true; > >> } > >> } > >> return false; > >> } > >> return true; > >> } > >> } > >> > >> > >> 2013/12/27 Romain Manni-Bucau <[email protected]> > >> > >> > Hmm, i didnt test but check using Exception what's the exact type, > >> > wrapping > >> > sometimes leads to surprises. > >> > > >> > Side note: a filter would work in all cases. > >> > Le 27 déc. 2013 21:25, "Matej" <[email protected]> a écrit : > >> > > >> > > Hello Romain. > >> > > > >> > > I tried with something like this: > >> > > > >> > > > >> > > @Provider > >> > > public class EjbAccessExceptionMapper implements > >> > > ExceptionMapper<EJBAccessException> { > >> > > > >> > > @Override > >> > > public Response toResponse(EJBAccessException t) { > >> > > return > >> > > Response.status(Status.BAD_REQUEST).entity(t.getMessage()).build(); > >> > > } > >> > > } > >> > > > >> > > > >> > > But I don't tnik the Error message is returned from the REST /CXF > >> > > domain. > >> > > > >> > > javax.servlet.ServletException: Error processing webservice request > >> > > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:59) > >> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > >> > > > >> > > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > >> > > > >> > > *root cause* > >> > > > >> > > java.lang.RuntimeException: org.apache.cxf.interceptor.Fault: > >> > > Unauthorized Access by Principal Denied while invoking public > >> > > javax.ws.rs.core.Response > >> > > > >> > > > >> > > >> > > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:116) > >> > > > >> > > > >> > > >> > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:322) > >> > > > >> > > > >> > > >> > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > >> > > > >> > > > >> > > >> > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237) > >> > > > >> > > > >> > > >> > > org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170) > >> > > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53) > >> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > >> > > > >> > > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > >> > > > >> > > *root cause* > >> > > > >> > > org.apache.cxf.interceptor.Fault: Unauthorized Access by Principal > >> > > Denied while invoking public > >> > > javax.ws.rs.core.Response.getEmployeeTimesheet(long,long) with > params > >> > > [0, 0]. > >> > > > >> > > > >> > > >> > > org.apache.cxf.service.invoker.AbstractInvoker.createFault(AbstractInvoker.java:166) > >> > > > >> > > > >> > > >> > > org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:140) > >> > > > >> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:165) > >> > > > >> > > > >> > > >> > > org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.invoke(OpenEJBEJBInvoker.java:67) > >> > > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:89) > >> > > > >> > > > >> > > >> > > org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:63) > >> > > > >> > > > >> > > >> > > org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) > >> > > > >> > > > >> > > >> > > org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93) > >> > > > >> > > > >> > > >> > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > >> > > > >> > > > >> > > >> > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > >> > > > >> > > > >> > > >> > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237) > >> > > > >> > > > >> > > >> > > org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170) > >> > > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53) > >> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > >> > > > >> > > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > >> > > > >> > > *root cause* > >> > > > >> > > javax.ejb.EJBAccessException: Unauthorized Access by Principal > Denied > >> > > > >> > > > >> > > >> > > org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:158) > >> > > > >> > > > >> > > > org.apache.openejb.util.proxy.ProxyEJB$Handler.invoke(ProxyEJB.java:73) > >> > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> > > > >> > > > >> > > >> > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > >> > > > >> > > > >> > > >> > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > >> > > java.lang.reflect.Method.invoke(Method.java:606) > >> > > > >> > > > >> > > >> > > org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.performInvocation(OpenEJBEJBInvoker.java:93) > >> > > > >> > > > >> > > >> > > org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) > >> > > > >> > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:165) > >> > > > >> > > > >> > > >> > > org.apache.openejb.server.cxf.rs.OpenEJBEJBInvoker.invoke(OpenEJBEJBInvoker.java:67) > >> > > > org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:89) > >> > > > >> > > > >> > > >> > > org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:63) > >> > > > >> > > > >> > > >> > > org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) > >> > > > >> > > > >> > > >> > > org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93) > >> > > > >> > > > >> > > >> > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > >> > > > >> > > > >> > > >> > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > >> > > > >> > > > >> > > >> > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237) > >> > > > >> > > > >> > > >> > > org.apache.openejb.server.cxf.rs.CxfRsHttpListener.onMessage(CxfRsHttpListener.java:170) > >> > > > >> > org.apache.openejb.server.rest.RsServlet.service(RsServlet.java:53) > >> > > javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > >> > > > >> > > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > >> > > > >> > > > >> > > > >> > > 2013/12/27 Romain Manni-Bucau <[email protected]> > >> > > > >> > > > Hi > >> > > > > >> > > > I'd add a custom ExceptionMapper or Filter. > >> > > > Le 27 déc. 2013 20:31, "Matej" <[email protected]> a écrit : > >> > > > > >> > > > > Hello everyone. > >> > > > > > >> > > > > Anybody knows how to make Tomee/cxf return a forbidden HTTP > status > >> > code > >> > > > 401 > >> > > > > or 403 instead of this: > >> > > > > > >> > > > > STATUS 500 > >> > > > > > >> > > > > java.lang.RuntimeException: org.apache.cxf.interceptor.Fault: > >> > > > > Unauthorized Access by Principal Denied > >> > > > > > >> > > > > I manage to do this in glassfish using this: > >> > > > > > >> > > > > <init-param> > >> > > > > > >> > > > > > >> > > > > > <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name> > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > > <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value> > >> > > > > </init-param> > >> > > > > > >> > > > > But Tomee is currently new-land for me. > >> > > > > > >> > > > > BR > >> > > > > > >> > > > > Matej > >> > > > > > >> > > > > >> > > > >> > >
