Skip to content
This repository has been archived by the owner on Nov 18, 2022. It is now read-only.

AuthorizationHandler not being called #194

Open
lichtin opened this issue Sep 13, 2017 · 6 comments
Open

AuthorizationHandler not being called #194

lichtin opened this issue Sep 13, 2017 · 6 comments

Comments

@lichtin
Copy link

lichtin commented Sep 13, 2017

Hi All
Wanted to ask if anyone has the jax-rs-connector working properly in a Karaf 4.0.x environment?

Specifically the issue is with authentication and authorization handlers. There's a class implementing both interfaces.

With an http request arriving, the authentication seems to work, as the authenticate() method is called.
However, regardless of whether that method returns null or a Principal, the request does not get rejected and also the authorization handler is never called.

Does anyone have any suggestion on where to look further.
@BryanHunt
Copy link
Collaborator

It depends on how you are doing authentication and authorization in your REST service. If you are managing authentication and authorization on a per method basis, then it's up to you. If you are using the jax-rs annotations, then it should be managed by Jersey.

@lichtin
Copy link
Author

lichtin commented Sep 13, 2017

I'm using the @RolesAllowed and @Denyall (for testing only) annotations, so that's the case you say Jersey should manage.

I double-checked my implementation of the AuthorizationHandler interface is also registered as an OSGi service. Still it's not called.

The AuthenticationHandler however is called via the following call stack:

at my.path.impl.SecurityHandlerImpl.authenticate(SecurityHandlerImpl.java:49)
at com.eclipsesource.jaxrs.provider.security.impl.SecurityAdmin.createSecurityContext(SecurityAdmin.java:38)
at com.eclipsesource.jaxrs.provider.security.impl.SecurityAdmin.getSecurityContext(SecurityAdmin.java:29)
at com.eclipsesource.jaxrs.provider.security.impl.ContainerRequestFilterImpl.filter(ContainerRequestFilterImpl.java:36)
at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:132)
at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:68)
at org.glassfish.jersey.process.internal.Stages.process(Stages.java:197)
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:318)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:427)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:388)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:341)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:228)
at com.eclipsesource.jaxrs.publisher.internal.ServletContainerBridge.service(ServletContainerBridge.java:76)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:71)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:287)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:748)

Any place I could dig in to find out why authorization does not kick in?

@deepaktyagi2326
Copy link

I faced a similar issue sometime back and it was resolved by making my REST Resource classes extend RolesAllowedDynamicFeature interface.

@Rossi1337
Copy link

Hi,
I have the same issue. I debugged it a little bit and for me it looks like to be a problem how javax.annotation is resolved.

For my bundle that implements the components that are annotated with @path and @RolesAllowed the javax.annotation is revolved to the Felix System Bundle with ID: 0

The jersey-min bundle contains an internal copy of javax.annotation that is used then automatically.
So the comparision of the annotations goes wrong in RolesAllowedDynamicFeature.configure()
It invokes org.glassfish.jersey.server.model.isAnnotationPresent
That one always returns false because the @RolesAllowed comes from two different OSGI class loaders and are therefore not considered to be the same.

Im no OSGI pro so I cannot tell for sure but for me it seems that jersey-min should not contain javax.annotation as a copy but resolve it the same way as "resource implementation" bundles do?

Or is there a way to force the resolving of my bundles to use the javax.annotation provided by jersey-min?

Best regards,

  • Bernd

@Rossi1337
Copy link

After some more research I stumbled uppon this.

https://www.osgi.org/portable-java-contract-definitions/

So I think jersey-min should define the dependency on javax.annotation via a contract instead of embedding it?

  • Bernd

@richiew
Copy link

richiew commented Oct 7, 2020

Hi

I'm currently facing the same issue on a Adobe Experience Manager (AEM) OSGi platform.

Making my REST resource extend RolesAllowedDynamicFeature unfortunately did not help in my case (the result was a HTTP 404 when calling the REST resource). Has anyone found a solution to this problem?

Best regards
Richard

@nicolatimeus nicolatimeus mentioned this issue Feb 23, 2022
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@BryanHunt @lichtin @Rossi1337 @deepaktyagi2326 @richiew