Strange authorization issue with CXF simpleauthorizinginterceptor

Solution In Progress - Updated -

Issue

I have a camel-cxfrs rsServer endpoint configured as

<camelcxf:rsServer id="rsServer" address="http://localhost:9080/CxfRsRouterTest/route"
    serviceClass="org.apache.camel.component.cxf.jaxrs.testbean.CustomerService"
    loggingFeatureEnabled="true" >
      <camelcxf:providers>
          <ref component-id="authenticationFilter" />
          <ref component-id="authorizationFilter" />
      </camelcxf:providers>
  </camelcxf:rsServer>

where "authenticationFilter" and "authorizationFilter" are configured as:

<bean id="authenticationFilter" class="org.apache.cxf.jaxrs.security.JAASAuthenticationFilter">
      <property name="contextName" value="karaf" />
  </bean>

  <bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
      <property name="methodRolesMap">
          <map>
              <entry key="getCustomer" value="LeoETMF" />
          </map>
      </property>
  </bean>

  <bean id="authorizationFilter" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
      <property name="interceptor" ref="authorizationInterceptor" />
  </bean>

In my JBoss Fuse 6.1 (with R3 patch) container "etc/users.properties" file, I have following users configured:

admin=admin,admin
etmfservice-d=admin,LeoETMF
etmfservice-q=admin,LeoETMF

From SoapUI client, if I configured Http Basic Authentication using the user "etmservice-d", and the rest request:

http://localhost:9080/CxfRsRouterTest/route/customerservice/customers/123

worked fine and the user was properly authenticated and authorised. I got a 200 back with following xml response:

<Response xmlns="http://localhost/CxfRsRouterTest/route/customerservice/customers/123">
   <Customer>
      <id>123</id>
      <name>John</name>
   </Customer>
</Response>

However, if I use the user "etmservice-q" and configure Http Basic Authentication from SoapUI client and invoke on the rest service, I got a "403 Forbidden" back since the SimpleAuthorizingFilter did not authorise it.

In my opinion, both user "etmservice-d" and "etmservice-q" should be authorised by SimpleAuthorizingFilter since they are users of the same role "LeoETMF".

Environment

  • JBoss Fuse
    • 6.1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content