Search code examples

Combine Spring security AUTHORIZATION bearer and CXF

I am using Spring security + Spring core and combination with CXF for my restful.

Below are configs:

  1. web.xml for CXF config:

    <!-- Spring configuration for ContextLoaderListener -->
    <!-- CXF configuration for resful webservices -->
  2. config CXF endpoint (context.xml)

    <!-- configure for restful endpoint for application services as web authentication... -->
    <jaxrs:server id="ApplicationServices"
            <ref bean="ControllerImpl" />
            <ref bean="jsonProvider" />
            <bean id="loggingFeature"
                <property name="prettyLogging" value="true" />
            <ref bean="swagger2Feature" />
  3. spring security config - filter

    public class AuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    AuthenticationFilter(final RequestMatcher requiresAuth) {
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        //Optional<String> tokenParam = Optional.ofNullable(httpServletRequest.getHeader(AUTHORIZATION)); //Authorization: Bearer TOKEN
        String token= StringUtils.isNotEmpty(httpServletRequest.getHeader(AUTHORIZATION))? httpServletRequest.getHeader(AUTHORIZATION) : "";
        token= StringUtils.removeStart(token, "Bearer").trim();
        Authentication requestAuthentication = new UsernamePasswordAuthenticationToken(token, token);
        return getAuthenticationManager().authenticate(requestAuthentication);
    protected void successfulAuthentication(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain, final Authentication authResult) throws IOException, ServletException  {
        chain.doFilter(request, response);
  4. spring security config - provider

    public class AuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
    UserTokenService userTokenService;
    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
    protected UserDetails retrieveUser(String userName, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
        Object token= usernamePasswordAuthenticationToken.getCredentials();
        return Optional
                .orElseThrow(() -> new UsernameNotFoundException("Cannot find user with authentication token=" + token));
  5. spring security config - SecurityConfiguration

    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    private static final RequestMatcher PROTECTED_URLS = new OrRequestMatcher(
            new AntPathRequestMatcher("/services/**"));
    AuthenticationProvider provider;
    public SecurityConfiguration(final AuthenticationProvider authenticationProvider) {
        this.provider = authenticationProvider;
    protected void configure(final AuthenticationManagerBuilder auth) {
     * we don't need provide this service for now because we are using Vaadin
    public void configure(final WebSecurity webSecurity) {
    public void configure(HttpSecurity http) throws Exception {
                .addFilterBefore(authenticationFilter(), AnonymousAuthenticationFilter.class).authorizeRequests()
    AuthenticationFilter authenticationFilter() throws Exception {
        final AuthenticationFilter filter = new AuthenticationFilter(PROTECTED_URLS);
        // filter.setAuthenticationSuccessHandler(successHandler());
        return filter;
    AuthenticationEntryPoint forbiddenEntryPoint() {
        return new HttpStatusEntryPoint(HttpStatus.FORBIDDEN);
  6. findByToken

     public Optional<User> findByToken(String token) {
         UserToken userToken = userTokenDAO.findByToken(token);
         if (userToken != null) {
         User user = new User(userToken.getUserId(), userToken.getUserPassword(), true, true, true, true,
         return Optional.of(user);
     return Optional.empty();

However filter does not work. The request still allows comming without any validation by spring security.

The request like:

curl -X POST "http://localhost:8080/my-app/services/Application/ControllerImpl/myservice1" -H "accept: application/json" -H "Content-Type: application/json" -d "string"

There is no exception or error. The above request returns 200 (OK). I expected to fail because of no bearer token on the request.

How can we combine Spring security (using bearer token method) and CXF ?


  • Based on discussion in the comments, it is clear spring security filter chain is not getting configured.

    Can you please add the following to your web.xml as well and see if the execution is hitting AntPathRequestMatcher matches method
