TechQA.

How to secure multiple endpoint with SecureAnnotationsInterceptor (Apache CXF)?

955 views Asked by At

I am using Apache CXF and I'd like to use the SecureAnnotationsInterceptor to secure my endpoint with the @RolesAllowed annotation.

As far as I understand, I have to tell the interceptor which object to protect through passing the reference to the setSecuredObject method.

Unfortunatly, the code isn't design to handle a list of bean.

I am then wondering how to secure multiple endpoint with this interceptor.

Do I have to create my own version of this interceptor or to create multiple instance of it (one per endpoint to secure) or something else ?

java security rest cxf jsr250
Original Q&A
2

There are 2 answers

0
Ahmed M Farghali On BEST ANSWER

I don't know if you had found an answer. For me, I have modified this interceptor's setSecuredObject method as following:

public void setSecuredObjectsList(Object[] objects) {

    Map<String, String> rolesMap = new HashMap<String, String>();
    for (Object o:objects ) {
        setSecuredObject(o, rolesMap);
    }

    super.setMethodRolesMap(rolesMap);
}


public void setSecuredObject(Object object, Map<String, String> rolesMap) {
    Class<?> cls = ClassHelper.getRealClass(object);
    findRoles(cls, rolesMap);
    if (rolesMap.isEmpty()) {
        LOG.warning("The roles map is empty, the service object is not protected");
    } else if (LOG.isLoggable(Level.FINE)) {
        for (Map.Entry<String, String> entry : rolesMap.entrySet()) {
            LOG.fine("Method: " + entry.getKey() + ", roles: " + entry.getValue());
        }
    }
}
0
andre On

Sorry that this is an answer, as I don't have enough rep to comment on Ahmed M Farghali's answer. With the above implementation we ran into an issue where we annotated the interfaces with @RolesAllowed but not all the endpoints were being secured. Turns out that findRoles() will inspect the superclass if rolesMap is empty. On the first run this happens correctly, but since rolesMap is re-used, the other services won't be secured. We fixed this by changing the setSecuredObject method to:

public void setSecuredObject(Object object, Map<String, String> rolesMap) {
    Class<?> cls = ClassHelper.getRealClass(object);
    Map<String, String> instanceRoleMap = new HashMap<>();
    findRoles(cls, instanceRoleMap);
    if (instanceRoleMap.isEmpty()) {
        LOG.warning("The roles map is empty, the service object is not protected");
    } else if (LOG.isLoggable(Level.FINE)) {
        for (Map.Entry<String, String> entry : instanceRoleMap.entrySet()) {
            LOG.fine("Method: " + entry.getKey() + ", roles: " + entry.getValue());
        }
    }
    rolesMap.putAll(instanceRoleMap);
}

Related Questions in JAVA

Related Questions in SECURITY

Related Questions in REST

Related Questions in CXF

Related Questions in JSR250

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions