...
Role based access control
If you have an existing RBAC system (based on we have a SAML Assertion or JWT token with claims that are known to represent roles, then making those claims work with an RBAC system can be achieved easily.
SimpleAuthorizingInterceptor
One option is to enforce that only users in a given role can access a method in the service bean is to use CXF's SimpleAuthorizingInterceptor. It has a "methodRolesMap" property can maps method names to roles. This interceptor must then be added to the inInterceptor chain of the service endpoint. For example:
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="serviceBean" class="org.apache.cxf.systest.jaxrs.security.jose.jwt.BookStoreAuthn"/>
<bean id="jwtAuthzFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationFilter">
<property name="roleClaim" value="role"/>
</bean>
<bean id="authorizationInterceptor"
class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
<property name="methodRolesMap">
<map>
<entry key="echoBook" value="boss"/>
<entry key="echoBook2" value="boss"/>
</map>
</property>
</bean>
<jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jwt-authn-authz}/signedjwtauthz">
<jaxrs:serviceBeans>
<ref bean="serviceBean"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="jwtAuthzFilter"/>
</jaxrs:providers>
<jaxrs:inInterceptors>
<ref bean="authorizationInterceptor"/>
</jaxrs:inInterceptors>
<jaxrs:properties>
<entry key="rs.security.signature.in.properties"
value="org/apache/cxf/systest/jaxrs/security/bob.jwk.properties"/>
</jaxrs:properties>
</jaxrs:server> |
Using annotations
Instead of mapping method names to roles using the SimpleAuthorizingInterceptor, we can instead annotate them in the service bean with javax.annotation.security.RolesAllowed or even org.springframework.security.annotation.Secured annotations) in place and have SAML assertions with claims that are known to represent roles, then making those claims work with the RBAC system can be achieved easily. For example, given this code:
|
...
Also note how SecureAnnotationsInterceptor can handle different types of role annotations, with @RoledAllowed @RolesAllowed being supported by default.