I am using Apache CXF and I'd like to use the SecureAnnotationsInterceptor to secure my endpoint with the @RolesAllowed annotation.
As far as I understand, I have to tell the interceptor which object to protect through passing the reference to the setSecuredObject method.
Unfortunatly, the code isn't design to handle a list of bean.
I am then wondering how to secure multiple endpoint with this interceptor.
Do I have to create my own version of this interceptor or to create multiple instance of it (one per endpoint to secure) or something else ?
I don't know if you had found an answer. For me, I have modified this interceptor's setSecuredObject method as following:
public void setSecuredObjectsList(Object[] objects) {
Map<String, String> rolesMap = new HashMap<String, String>();
for (Object o:objects ) {
setSecuredObject(o, rolesMap);
}
super.setMethodRolesMap(rolesMap);
}
public void setSecuredObject(Object object, Map<String, String> rolesMap) {
Class<?> cls = ClassHelper.getRealClass(object);
findRoles(cls, rolesMap);
if (rolesMap.isEmpty()) {
LOG.warning("The roles map is empty, the service object is not protected");
} else if (LOG.isLoggable(Level.FINE)) {
for (Map.Entry<String, String> entry : rolesMap.entrySet()) {
LOG.fine("Method: " + entry.getKey() + ", roles: " + entry.getValue());
}
}
}