Well, in your sample @RolesAllowed is ignored since that's not an EJB.
Romain Manni-Bucau @rmannibucau http://www.tomitribe.com http://rmannibucau.wordpress.com https://github.com/rmannibucau 2014-11-12 9:57 GMT+01:00 Alex Soto <[email protected]>: > Hi, > > Yes that example works but if I do something like > > @Path("sc") > public static class Res { > @Context > private SecurityContext sc; > > @GET > @RolesAllowed("therole") > public boolean f() { > return sc.isUserInRole("therole"); > } > } > > Note that in theory when the role is another the f() method should not be > executed, but the reality is that is executed as well. So it seems that > with a custom security context you cannot relay on declarative mode using > annotations. > > 2014-11-11 16:48 GMT+01:00 Romain Manni-Bucau <[email protected]>: > >> Hi >> >> what's the difference with >> >> https://git-wip-us.apache.org/repos/asf?p=tomee.git;a=blob;f=server/openejb-cxf-rs/src/test/java/org/apache/openejb/server/cxf/rs/CustomSecurityContextTest.java;h=6129a063007f2f703037fd048f28272ad81c79d6;hb=c5dea27ad20000b83391fc4bdc1b092b358f8c0c >> ? >> >> >> Romain Manni-Bucau >> @rmannibucau >> http://www.tomitribe.com >> http://rmannibucau.wordpress.com >> https://github.com/rmannibucau >> >> >> 2014-11-11 15:56 GMT+01:00 Alex Soto <[email protected]>: >> > Hi, >> > >> > I am developing an application with JAXRS 2.0, and for this reason >> > currently I am using TomEE2. I need to implement my own SecurityContext >> > based on JWT. I need to implement on my own because currently I cannot >> rely >> > on any CXF class because I don't know the final application server yet. >> But >> > anyway, the problem is that I don't know but it just don't works. Let me >> > post a simple example. >> > >> > @Provider >> > public class JWTRequestFilter implements ContainerRequestFilter { >> > >> > @Override >> > public void filter(ContainerRequestContext request) throws IOException { >> > String token = request.getHeaderString("x-access-token"); >> > try { >> > String username = getUsernameFromToken(token); >> > final User user = getUserByName(username); >> > request.setSecurityContext(new SecurityContext() { >> > @Override >> > public boolean isUserInRole(String role) { >> > return user.isUserInRole(role); >> > } >> > @Override >> > public boolean isSecure() { >> > return false; >> > } >> > @Override >> > public Principal getUserPrincipal() { >> > return user; >> > } >> > @Override >> > public String getAuthenticationScheme() { >> > return SecurityContext.BASIC_AUTH; >> > } >> > }); >> > } catch (ParseException | JOSEException e) { >> > e.printStackTrace(); >> > } >> > } >> > } >> > >> > And the endpoint: >> > >> > @Path("/book") >> > @PermitAll >> > public class BookResource { >> > >> > @GET >> > @Produces(MediaType.TEXT_PLAIN) >> > @RolesAllowed("admin") >> > public String book() { >> > return "book"; >> > } >> > @GET >> > @Path("article") >> > @Produces(MediaType.TEXT_PLAIN) >> > @RolesAllowed("superadmin") >> > public String article() { >> > return "article"; >> > } >> > } >> > >> > I have added two debug breakpoints, the firstone just before registering >> > the new SecurityContext, and the second one inside SecurityContext in >> > method isUserInRole. >> > >> > The problem is that the first breakpoint is executed but not the second >> > one, so the SecurityContext I have implemented is not called and of >> course >> > the endpoints are accessible for any user. >> > >> > What am I missing? >> > >> > -- >> > +----------------------------------------------------------+ >> > Alex Soto Bueno >> > www.lordofthejars.com >> > +----------------------------------------------------------+ >> > > > > -- > +----------------------------------------------------------+ > Alex Soto Bueno - Computer Engineer > www.lordofthejars.com > +----------------------------------------------------------+
