Search code examples
jax-rscxfrolesjakarta-ee-security-api

@RolesAllowed in Apache CXF


I'm trying to migrate a JAX-RS application from Jersey to Apache CXF. I'm not using Spring, so I'm trying to configure it by extending javax.ws.rs.core.Application.

I also implemented

    public class RolesAllowedCXFFeature implements Feature {
        @Override
        public boolean configure(FeatureContext featureContext) {
            SecureAnnotationsInterceptor interceptor = new SecureAnnotationsInterceptor();
            featureContext.register(interceptor);
            SimpleAuthorizingFilter f = new SimpleAuthorizingFilter();
            f.setInterceptor(interceptor);
            featureContext.register(f);
            return true;
        }
    
        public static Object createAuthFilter() {
            SimpleAuthorizingFilter f = new SimpleAuthorizingFilter();
            f.setInterceptor(new SecureAnnotationsInterceptor());
            return f;
        }
    }

and returned it in the getSingletons() method of the aforementioned Application.

The issue is that the methods annotated with @RolesAllowed do not seem to work.

In Jersey was enough to return new RolesAllowedDynamicFeature() from Application#getSingletons() and methods were secured.


Solution

  • My opinion, from looking at the code, is that SecureAnnotationsInterceptor does not automatically pick up all the classes annotated with @Path, so you will have to register them yourself with the interceptor using SecureAnnotationsInterceptor#setSecuredObject.