Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6317

Authorization not possible with multiple service beans

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.15
    • Fix Version/s: 3.1, 2.7.16, 3.0.5
    • Component/s: JAX-RS Security
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Given a jaxrs:server with more than one serviceBean it is not possible to secure them both.

      Take the following configuration (it's in blueprint, but it shouldn't matter):

      <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
                 xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
                 http://cxf.apache.org/blueprint/jaxrs http://cxf.apache.org/schemas/blueprint/jaxrs.xsd">
      
          <jaxrs:server id="myservice" address="/service">
              <jaxrs:inInterceptors>
                  <ref component-id="part1AuthorizationInterceptor"/>
                  <ref component-id="part2AuthorizationInterceptor"/>
              </jaxrs:inInterceptors>
              <jaxrs:serviceBeans>
                  <ref component-id="part1WebService"/>
                  <ref component-id="part2WebService"/>
              </jaxrs:serviceBeans>
              <jaxrs:providers>
                  <ref component-id="authenticationFilter"/>
              </jaxrs:providers>
          </jaxrs:server>
      
          <bean id="part1WebService" class="com.example.Part1WebService"/>
      
          <bean id="part2WebService" class="com.example.Part2WebService"/>
          
          <bean id="part1AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
              <property name="securedObject" ref="part1WebService"/>
          </bean>
      
          <bean id="part2AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
              <property name="securedObject" ref="part2WebService"/>
          </bean>
      
      </blueprint>
      

      Since org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor only secures one object, we need two instances, one for each service bean.

      If you walk up SecureAnnotationsInterceptor constructor chain, you'll end up in org.apache.cxf.phase.AbstractPhaseInterceptor (github link) where the interceptor's id is set to getClass().getName(). So now we have two interceptors with the same id. When the interceptor chain is built in org.apache.cxf.phase.PhaseInterceptorChain the second interceptor is ignored since it has the same id as the first one.

        Attachments

          Activity

            People

            • Assignee:
              sergey_beryozkin Sergey Beryozkin
              Reporter:
              jgogstad Jostein Gogstad
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: