Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-4578

Strange authorization issue with CXF simpleauthorizinginterceptor

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • jboss-fuse-6.2
    • jboss-fuse-6.1
    • CXF
    • None
    • % %

    Description

      I have a camel-cxfrs rsServer endpoint configured as

      <camelcxf:rsServer id="rsServer" address="http://localhost:9080/CxfRsRouterTest/route"
    serviceClass="org.apache.camel.component.cxf.jaxrs.testbean.CustomerService"
    loggingFeatureEnabled="true" >
      <camelcxf:providers>
          <ref component-id="authenticationFilter" />
          <ref component-id="authorizationFilter" />
      </camelcxf:providers>
  </camelcxf:rsServer>

      where "authenticationFilter" and "authorizationFilter" are configured as:

      <bean id="authenticationFilter" class="org.apache.cxf.jaxrs.security.JAASAuthenticationFilter">
      <property name="contextName" value="karaf" />
  </bean>

  <bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
      <property name="methodRolesMap">
          <map>
              <entry key="getCustomer" value="LeoETMF" />
          </map>
      </property>
  </bean>

  <bean id="authorizationFilter" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
      <property name="interceptor" ref="authorizationInterceptor"/>
  </bean>

      In my JBoss Fuse 6.1 (with R3 patch) container "etc/users.properties" file, I have following users configured:

      admin=admin,admin
etmfservice-d=admin,LeoETMF
etmfservice-q=admin,LeoETMF

      From SoapUI client, if I configured Http Basic Authentication using the user "etmservice-d", and the rest request:
      http://localhost:9080/CxfRsRouterTest/route/customerservice/customers/123
      worked fine and the user was properly authenticated and authorised. I got a 200 back with following xml response:

      <Response xmlns="http://localhost/CxfRsRouterTest/route/customerservice/customers/123">
   <Customer>
      <id>123</id>
      <name>John</name>
   </Customer>
</Response>

      However, if I use the user "etmservice-q" and configure Http Basic Authentication from SoapUI client and invoke on the rest service, I got a "403 Forbidden" back since the SimpleAuthorizingFilter did not authorise it.

      In my opinion, both user "etmservice-d" and "etmservice-q" should be authorised by SimpleAuthorizingFilter since they are users of the same role "LeoETMF".

      Attachments

        Activity

          People

            yfang@redhat.com Freeman(Yue) Fang
            rhn-support-qluo Joe Luo
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: