using security annotations (e.g. @RolesAllowed, @DenyAll)

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

using security annotations (e.g. @RolesAllowed, @DenyAll)

Cameron Dalton

Good morning,

 

I’m just starting with some JAX-RS using Apache Wink in my project, and I’m having trouble with the security annotations.

 

I’m trying to use a @RolesAllowed annotation on a method to restrict access to only users in those roles.  However, users not in those roles are able to invoke the method as well.  I checked the request’s isUserInRole from inside the method by injecting the request and invoking request.isUserInRole myself and that behaves as expected, while the @RolesAllowed annotation does not.  Furthermore, I changed the @RolesAllowed annotation to @DenyAll and STILL all users are able to invoke the method – in my mind, that last test takes out any variables concerning the request and the isUserInRole method and points squarely to something I’m doing wrong with the Apache Wink setup or the annotations.

 

What could I be doing wrong?  What is missing?  I have secured the url pattern /* in web.xml by restricting it to all authenticated users.  Here’s my method signature with the annotations:

 

        @GET

        @DenyAll

        @Produces({ MediaType.APPLICATION_JSON})

        public List<InboxField> getCasesBySearch(@Context HttpServletRequest request, @PathParam("keywords") String keywords) { ...

 

Thank you so much for your help.

 

Cameron

 

Reply | Threaded
Open this post in threaded view
|

Thrift sample for wink

Ali, Haneef

Hi,

 

In the code, I  saw  ThriftProvider.  Do you have any sample using Thrift with wink?  Any pointers will be helpful.

 

Thanks,

Haneef

Reply | Threaded
Open this post in threaded view
|

Re: Thrift sample for wink

Raymond Feng
<base href="x-msg://88/">Hi,

You can find the example from the src/test folder under wind-thrift-provider.

Thanks,
Raymond 
________________________________________________________________ 
Raymond Feng
[hidden email]
Apache Tuscany PMC member and committer: tuscany.apache.org
Co-author of Tuscany SCA In Action book: www.tuscanyinaction.com
Personal Web Site: www.enjoyjava.com
________________________________________________________________

On Jul 22, 2011, at 10:18 AM, Ali, Haneef wrote:

Hi,
 
In the code, I  saw  ThriftProvider.  Do you have any sample using Thrift with wink?  Any pointers will be helpful.
 
Thanks,
Haneef

Reply | Threaded
Open this post in threaded view
|

Re: using security annotations (e.g. @RolesAllowed, @DenyAll)

Bryant Luk
In reply to this post by Cameron Dalton
Wink as-is does not have a handler for JSR-250 annotations. You can
create a request handler to do this if you want. The request handler
can look at all the annotations available on a method. Patches would
be welcome too.

On Fri, Jul 22, 2011 at 9:41 AM, Cameron Dalton
<[hidden email]> wrote:

> Good morning,
>
>
>
> I’m just starting with some JAX-RS using Apache Wink in my project, and I’m
> having trouble with the security annotations.
>
>
>
> I’m trying to use a @RolesAllowed annotation on a method to restrict access
> to only users in those roles.  However, users not in those roles are able to
> invoke the method as well.  I checked the request’s isUserInRole from inside
> the method by injecting the request and invoking request.isUserInRole myself
> and that behaves as expected, while the @RolesAllowed annotation does not.
> Furthermore, I changed the @RolesAllowed annotation to @DenyAll and STILL
> all users are able to invoke the method – in my mind, that last test takes
> out any variables concerning the request and the isUserInRole method and
> points squarely to something I’m doing wrong with the Apache Wink setup or
> the annotations.
>
>
>
> What could I be doing wrong?  What is missing?  I have secured the url
> pattern /* in web.xml by restricting it to all authenticated users.  Here’s
> my method signature with the annotations:
>
>
>
>         @GET
>
>         @DenyAll
>
>         @Produces({ MediaType.APPLICATION_JSON})
>
>         public List<InboxField> getCasesBySearch(@Context HttpServletRequest
> request, @PathParam("keywords") String keywords) { ...
>
>
>
> Thank you so much for your help.
>
>
>
> Cameron
>
>
Reply | Threaded
Open this post in threaded view
|

RE: using security annotations (e.g. @RolesAllowed, @DenyAll)

Cameron Dalton
Bryant,

Thanks for the tip!  I implemented a request handler, and after lots of searching I was finally able to locate the target method so I could look up the annotations.  (If anyone cares, that's MessageContext > SearchResult (via MessageContext's attributes) MethodRecord > MethodMetadata > Method).

Now, I'm struggling with how to get a 403 Forbidden response back to the client when necessary based on the method's JSR-250 annotation.  I haven't been able to find a javax.ws.rs.core.Response anywhere in the MessageContext.

MessageContext does provide setResponseStatusCode() and setResponseEntity(), however calling setResponseStatusCode(403) does not impact the response I receive at the client; I still get a 200 OK response.  I can lookup the HttpServletResponse from the MessageContext and set the status code directly using HttpServletResponse.setStatus() and that works fine, however it just seems...wrong.  Shouldn't I be setting or updating a javax.ws.rs.core.Response somewhere which will later be mapped to the HttpServletResponse?  I'm worried that if I update HttpServletResponse directly, especially this early in the entire process (user request handlers), then that's sort of breaking the paradigm and something else may overwrite what I do to the HttpServletResponse.

Any ideas on the "right" way to set or update the Response from a request handler?

Thanks again for the help.

Cameron


-----Original Message-----
From: Bryant Luk [mailto:[hidden email]]
Sent: Monday, July 25, 2011 4:39 PM
To: [hidden email]
Subject: Re: using security annotations (e.g. @RolesAllowed, @DenyAll)

Wink as-is does not have a handler for JSR-250 annotations. You can create a request handler to do this if you want. The request handler can look at all the annotations available on a method. Patches would be welcome too.

On Fri, Jul 22, 2011 at 9:41 AM, Cameron Dalton <[hidden email]> wrote:

> Good morning,
>
>
>
> I'm just starting with some JAX-RS using Apache Wink in my project,
> and I'm having trouble with the security annotations.
>
>
>
> I'm trying to use a @RolesAllowed annotation on a method to restrict
> access to only users in those roles.  However, users not in those
> roles are able to invoke the method as well.  I checked the request's
> isUserInRole from inside the method by injecting the request and
> invoking request.isUserInRole myself and that behaves as expected, while the @RolesAllowed annotation does not.
> Furthermore, I changed the @RolesAllowed annotation to @DenyAll and
> STILL all users are able to invoke the method - in my mind, that last
> test takes out any variables concerning the request and the
> isUserInRole method and points squarely to something I'm doing wrong
> with the Apache Wink setup or the annotations.
>
>
>
> What could I be doing wrong?  What is missing?  I have secured the url
> pattern /* in web.xml by restricting it to all authenticated users. 
> Here's my method signature with the annotations:
>
>
>
>         @GET
>
>         @DenyAll
>
>         @Produces({ MediaType.APPLICATION_JSON})
>
>         public List<InboxField> getCasesBySearch(@Context
> HttpServletRequest request, @PathParam("keywords") String keywords) { ...
>
>
>
> Thank you so much for your help.
>
>
>
> Cameron
>
>
Reply | Threaded
Open this post in threaded view
|

Re: using security annotations (e.g. @RolesAllowed, @DenyAll)

Bryant Luk
context.setResponseEntity(Response.status(Response.Status.FORBIDDEN).build());
should work.

It is kind of strange that you get a 200 OK response. I would have
expected a 204 response. Be sure you're not invoking the request
handler chain still after you've determined that the method should not
be invoked.

On Tue, Jul 26, 2011 at 7:46 AM, Cameron Dalton
<[hidden email]> wrote:

> Bryant,
>
> Thanks for the tip!  I implemented a request handler, and after lots of searching I was finally able to locate the target method so I could look up the annotations.  (If anyone cares, that's MessageContext > SearchResult (via MessageContext's attributes) MethodRecord > MethodMetadata > Method).
>
> Now, I'm struggling with how to get a 403 Forbidden response back to the client when necessary based on the method's JSR-250 annotation.  I haven't been able to find a javax.ws.rs.core.Response anywhere in the MessageContext.
>
> MessageContext does provide setResponseStatusCode() and setResponseEntity(), however calling setResponseStatusCode(403) does not impact the response I receive at the client; I still get a 200 OK response.  I can lookup the HttpServletResponse from the MessageContext and set the status code directly using HttpServletResponse.setStatus() and that works fine, however it just seems...wrong.  Shouldn't I be setting or updating a javax.ws.rs.core.Response somewhere which will later be mapped to the HttpServletResponse?  I'm worried that if I update HttpServletResponse directly, especially this early in the entire process (user request handlers), then that's sort of breaking the paradigm and something else may overwrite what I do to the HttpServletResponse.
>
> Any ideas on the "right" way to set or update the Response from a request handler?
>
> Thanks again for the help.
>
> Cameron
>
>
> -----Original Message-----
> From: Bryant Luk [mailto:[hidden email]]
> Sent: Monday, July 25, 2011 4:39 PM
> To: [hidden email]
> Subject: Re: using security annotations (e.g. @RolesAllowed, @DenyAll)
>
> Wink as-is does not have a handler for JSR-250 annotations. You can create a request handler to do this if you want. The request handler can look at all the annotations available on a method. Patches would be welcome too.
>
> On Fri, Jul 22, 2011 at 9:41 AM, Cameron Dalton <[hidden email]> wrote:
>> Good morning,
>>
>>
>>
>> I'm just starting with some JAX-RS using Apache Wink in my project,
>> and I'm having trouble with the security annotations.
>>
>>
>>
>> I'm trying to use a @RolesAllowed annotation on a method to restrict
>> access to only users in those roles.  However, users not in those
>> roles are able to invoke the method as well.  I checked the request's
>> isUserInRole from inside the method by injecting the request and
>> invoking request.isUserInRole myself and that behaves as expected, while the @RolesAllowed annotation does not.
>> Furthermore, I changed the @RolesAllowed annotation to @DenyAll and
>> STILL all users are able to invoke the method - in my mind, that last
>> test takes out any variables concerning the request and the
>> isUserInRole method and points squarely to something I'm doing wrong
>> with the Apache Wink setup or the annotations.
>>
>>
>>
>> What could I be doing wrong?  What is missing?  I have secured the url
>> pattern /* in web.xml by restricting it to all authenticated users.
>> Here's my method signature with the annotations:
>>
>>
>>
>>         @GET
>>
>>         @DenyAll
>>
>>         @Produces({ MediaType.APPLICATION_JSON})
>>
>>         public List<InboxField> getCasesBySearch(@Context
>> HttpServletRequest request, @PathParam("keywords") String keywords) { ...
>>
>>
>>
>> Thank you so much for your help.
>>
>>
>>
>> Cameron
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

RE: using security annotations (e.g. @RolesAllowed, @DenyAll)

vareshbe
In reply to this post by Cameron Dalton
MessageContext setResponseStatusCode() are overridden in there appropriate response handler.
The best way to do this is to create a Response object using ResponseBuilder and set it using setResponseEntity().
Reply | Threaded
Open this post in threaded view
|

RE: using security annotations (e.g. @RolesAllowed, @DenyAll)

Cameron Dalton
In reply to this post by Bryant Luk
Bryant,

That worked like a charm; thanks a ton!  I typically think about entities as the content of the response, so I didn't think about passing a Response object to setResponseEntity().  But that did the trick.

"It is kind of strange that you get a 200 OK response. I would have expected a 204 response."

I had called setResponseEntity() with an explanatory message, thus the 200 OK.  I did get a 204 before I tried using setResponseEntity().

"Be sure you're not invoking the request handler chain still after you've determined that the method should not be invoked."

That much I figured out!

Thanks again for both pieces of advice.  The request handlers have opened up a whole new world of options!

Cameron


-----Original Message-----
From: Bryant Luk [mailto:[hidden email]]
Sent: Tuesday, July 26, 2011 10:26 AM
To: [hidden email]
Subject: Re: using security annotations (e.g. @RolesAllowed, @DenyAll)

context.setResponseEntity(Response.status(Response.Status.FORBIDDEN).build());
should work.

It is kind of strange that you get a 200 OK response. I would have expected a 204 response. Be sure you're not invoking the request handler chain still after you've determined that the method should not be invoked.

On Tue, Jul 26, 2011 at 7:46 AM, Cameron Dalton <[hidden email]> wrote:

> Bryant,
>
> Thanks for the tip!  I implemented a request handler, and after lots of searching I was finally able to locate the target method so I could look up the annotations.  (If anyone cares, that's MessageContext > SearchResult (via MessageContext's attributes) MethodRecord > MethodMetadata > Method).
>
> Now, I'm struggling with how to get a 403 Forbidden response back to the client when necessary based on the method's JSR-250 annotation.  I haven't been able to find a javax.ws.rs.core.Response anywhere in the MessageContext.
>
> MessageContext does provide setResponseStatusCode() and setResponseEntity(), however calling setResponseStatusCode(403) does not impact the response I receive at the client; I still get a 200 OK response.  I can lookup the HttpServletResponse from the MessageContext and set the status code directly using HttpServletResponse.setStatus() and that works fine, however it just seems...wrong.  Shouldn't I be setting or updating a javax.ws.rs.core.Response somewhere which will later be mapped to the HttpServletResponse?  I'm worried that if I update HttpServletResponse directly, especially this early in the entire process (user request handlers), then that's sort of breaking the paradigm and something else may overwrite what I do to the HttpServletResponse.
>
> Any ideas on the "right" way to set or update the Response from a request handler?
>
> Thanks again for the help.
>
> Cameron
>
>
> -----Original Message-----
> From: Bryant Luk [mailto:[hidden email]]
> Sent: Monday, July 25, 2011 4:39 PM
> To: [hidden email]
> Subject: Re: using security annotations (e.g. @RolesAllowed, @DenyAll)
>
> Wink as-is does not have a handler for JSR-250 annotations. You can create a request handler to do this if you want. The request handler can look at all the annotations available on a method. Patches would be welcome too.
>
> On Fri, Jul 22, 2011 at 9:41 AM, Cameron Dalton <[hidden email]> wrote:
>> Good morning,
>>
>>
>>
>> I'm just starting with some JAX-RS using Apache Wink in my project,
>> and I'm having trouble with the security annotations.
>>
>>
>>
>> I'm trying to use a @RolesAllowed annotation on a method to restrict
>> access to only users in those roles.  However, users not in those
>> roles are able to invoke the method as well.  I checked the request's
>> isUserInRole from inside the method by injecting the request and
>> invoking request.isUserInRole myself and that behaves as expected, while the @RolesAllowed annotation does not.
>> Furthermore, I changed the @RolesAllowed annotation to @DenyAll and
>> STILL all users are able to invoke the method - in my mind, that last
>> test takes out any variables concerning the request and the
>> isUserInRole method and points squarely to something I'm doing wrong
>> with the Apache Wink setup or the annotations.
>>
>>
>>
>> What could I be doing wrong?  What is missing?  I have secured the
>> url pattern /* in web.xml by restricting it to all authenticated users.
>> Here's my method signature with the annotations:
>>
>>
>>
>>         @GET
>>
>>         @DenyAll
>>
>>         @Produces({ MediaType.APPLICATION_JSON})
>>
>>         public List<InboxField> getCasesBySearch(@Context
>> HttpServletRequest request, @PathParam("keywords") String keywords) { ...
>>
>>
>>
>> Thank you so much for your help.
>>
>>
>>
>> Cameron
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

RE: using security annotations (e.g. @RolesAllowed, @DenyAll)

flangel
Hi Cameron,

did you configure the web.xml manually to set the HandlerFactory or did you find a way to programmatically,  ie. through code, set the factory ?

Is there any change that you can post the code?
Thanks
Frank