Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6317

Authorization not possible with multiple service beans

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.7.15
    • 3.1, 2.7.16, 3.0.5
    • JAX-RS Security
    • None
    • Unknown

    Description

      Given a jaxrs:server with more than one serviceBean it is not possible to secure them both.

      Take the following configuration (it's in blueprint, but it shouldn't matter):

      <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
           xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
           http://cxf.apache.org/blueprint/jaxrs http://cxf.apache.org/schemas/blueprint/jaxrs.xsd">

    <jaxrs:server id="myservice" address="/service">
        <jaxrs:inInterceptors>
            <ref component-id="part1AuthorizationInterceptor"/>
            <ref component-id="part2AuthorizationInterceptor"/>
        </jaxrs:inInterceptors>
        <jaxrs:serviceBeans>
            <ref component-id="part1WebService"/>
            <ref component-id="part2WebService"/>
        </jaxrs:serviceBeans>
        <jaxrs:providers>
            <ref component-id="authenticationFilter"/>
        </jaxrs:providers>
    </jaxrs:server>

    <bean id="part1WebService" class="com.example.Part1WebService"/>

    <bean id="part2WebService" class="com.example.Part2WebService"/>
    
    <bean id="part1AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
        <property name="securedObject" ref="part1WebService"/>
    </bean>

    <bean id="part2AuthorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
        <property name="securedObject" ref="part2WebService"/>
    </bean>

</blueprint>

      Since org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor only secures one object, we need two instances, one for each service bean.

      If you walk up SecureAnnotationsInterceptor constructor chain, you'll end up in org.apache.cxf.phase.AbstractPhaseInterceptor (github link) where the interceptor's id is set to getClass().getName(). So now we have two interceptors with the same id. When the interceptor chain is built in org.apache.cxf.phase.PhaseInterceptorChain the second interceptor is ignored since it has the same id as the first one.

      Attachments

        Activity

          People

            sergey_beryozkin Sergey Beryozkin
            jgogstad Jostein Gogstad
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: