Spring Framework role based method security not working in Apache CXF webservice

**e28makaveli** · Jul 5th, 2012, 12:50 PM

Sorry to duplicate this post from StackOverflow but it looks like there is more Spring action here. This is the issue:

I have a simple Apache CXF webservice with the following beans.xml file:

Code:

<?xml version="1.0" encoding="UTF-8"?>
    <beans:beans 
    	xmlns:beans="http://www.springframework.org/schema/beans"
    	xmlns="http://www.springframework.org/schema/security"
    	xmlns:ssec="http://cxf.apache.org/spring-security"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:jaxws="http://cxf.apache.org/jaxws"
    	xsi:schemaLocation="
    	http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd	
    	http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd	
    	http://cxf.apache.org/spring-security 
    	http://cxf-spring-security.googlecode.com/svn/trunk/cxf-spring-security/src/main/resources/schemas/spring-security.xsd
    	http://cxf.apache.org/jaxws 
    	http://cxf.apache.org/schemas/jaxws.xsd">
    
    	<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
    		
    	<http auto-config='true' >
    		<http-basic/>
    		<anonymous enabled="false"/>				
    	</http>
    
    	<beans:bean id="methodSecurityInterceptor"
    	      class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">      	  
    	      
    	      <beans:property name="authenticationManager" ref="authenticationManager"/>	          	      
    	      <beans:property name="accessDecisionManager" ref="accessDecisionManager"/>  	      	      	      	     	      
    	      <beans:property name="securityMetadataSource">
    	      	<beans:value>
    	      		org.mycompany.com.CxfSpringSecuredService.HelloWorldImpl.sayHi=ROLE_OPERATOR
    		        org.mycompany.com.CxfSpringSecuredService.HelloWorldImpl.sayHiAdmin*=ROLE_ADMIN,ROLE_SUPERVISOR
    		        org.mycompany.com.CxfSpringSecuredService.HelloWorldImpl.deleteAccounts*=ROLE_SUPERVISOR
    	      	</beans:value>
    	      </beans:property>                 	                      	    
    	</beans:bean>
        
        <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
           <beans:property name="decisionVoters">
              <beans:list>
                  <beans:bean class="org.springframework.security.access.vote.RoleVoter" />                          
              </beans:list>
           </beans:property>
        </beans:bean>
        	
    	<authentication-manager alias="authenticationManager">
    		<authentication-provider>
    			<user-service>			
    				<user name="operator" password="operator" authorities="ROLE_OPERATOR" />
                    <user name="admin" password="admin" authorities="ROLE_ADMIN" />
                    <user name="sup" password="sup" authorities="ROLE_SUPERVISOR" />                  
    			</user-service>
    		</authentication-provider>
    	</authentication-manager>		
    	
    
    	<jaxws:endpoint 
    	  id="helloWorld" 
    	  implementor="org.mycompany.com.CxfSpringSecuredService.HelloWorldImpl" 
    	  address="/HelloWorld" /> 	
    	  
    </beans:beans>

My web service implementation comprises of three simple methods:

Code:

  @WebService(endpointInterface = "org.mycompany.com.CxfSpringSecuredService.HelloWorld")
    public class HelloWorldImpl implements HelloWorld {
    
        public String sayHi(String text) {     	   	
        	
        	SecurityContext context =  SecurityContextHolder.getContext();
        	if (context != null){
        		Authentication authentication = context.getAuthentication();
        		if (authentication != null){
        			Collection<GrantedAuthority> roles = authentication.getAuthorities();
        			
        			if (roles != null){  
        				GrantedAuthority[] authorities = new GrantedAuthority[roles.size()];
        				roles.toArray(authorities);    				
        				for (int i = 0; i < authorities.length; i++)    	    		
        					text = text + " " + authorities[i];
        	    	}
        		}
        	}   	    	
        	
        	
            return "Hello " + text;
        }
        
        public String sayHiAdmin(){    
        	
        	return "Hello admin";
        }
        
        public String deleteAccounts(String name){
        	return "Accounts deleted by " + name;
        }
    }

My test client passes authentication information within the SOAP header. If I issue invalid credentials during the web service call, I get

Code:

The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm="Spring Security Application"'.

If I issue valid credentials for the operator, I can invoke all methods even though operator should not be able to invoke sayHiAdmin and deleteAccounts. I have gone through the docs but cannot figure out what I missed here. Help, please.

TIA.

**e28makaveli** · Jul 5th, 2012, 11:18 PM

Ideas anyone?

**Marten Deinum** · Jul 6th, 2012, 06:14 AM

You should protect the interface NOT the concrete class, there will be a proxy created for the implementation and your rules as such will never apply.

**e28makaveli** · Jul 6th, 2012, 09:29 AM

Originally Posted by Marten Deinum

You should protect the interface NOT the concrete class, there will be a proxy created for the implementation and your rules as such will never apply.

Thanks for the response. While you make perfect sense, changing my securityMetadataSource config to

Code:

  <beans:property name="securityMetadataSource">
	      	<beans:value>
	      		org.honeywell.com.CxfSpringSecuredService.HelloWorld.sayHi=ROLE_OPERATOR
		        org.honeywell.com.CxfSpringSecuredService.HelloWorld.sayHiAdmin*=ROLE_ADMIN
		        org.honeywell.com.CxfSpringSecuredService.HelloWorld.deleteAccounts*=ROLE_SUPERVISOR
	      	</beans:value>
	      </beans:property>

still does not fix myproblem. However, I did notice the following on the output window.

Code:

INFO: Bean 'cxf' of type [class org.apache.cxf.bus.spring.SpringBus] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)

Is this my problem?

**Marten Deinum** · Jul 9th, 2012, 01:15 AM

Yup... It is eagerly initialized, probably due to the fact that not spring but CXF is in control and as such it isn't being proxied.

**nexxphase** · Jul 9th, 2012, 06:36 AM

Thank you Guys. I happened to have a similar kind of problem for which I was searching for a solution. I landed on this post and it has helped me a lot. Thank you very much.

Regards,
NexxPhase.com
http://www.nexxphase.com

Thread: Spring Framework role based method security not working in Apache CXF webservice

Thread Tools

Display

Spring Framework role based method security not working in Apache CXF webservice

Posting Permissions