Though I’m able to get identity access with my own JAX-RS extension via “@Context SecurityContext”, I’m wanting to tie into (per HttpBasicAuthenticationProvider) so that I can use the built-in user database.
Everything works until I want to access the “@Context SecurityContext” - which ends up “null” (getting a null pointer error). My goal is to fetch the UserPrincipal from the logged in user.
example:
public String secureEchoGet(@PathParam("hello") String hello,
@Context SecurityContext security) {
LOGGER.info("*** echoget - user : " + security.getUserPrincipal().getName());
I checked Camunda source and noticed no use of “@Context SecurityContext” - however, there are examples of “@Context UriInfo”
I’m guessing that I’ll need to implement a security interceptor. Given that I don’t see any reference to “SecurityInterceptor” in source.
Is this correct?
Thanks!
Hi @garysamuelson,
I am not sure, but I guess that SecurityContext is application server specific part of implementation as JAX-RS jar only defines interface. Which application server are you using?
Cheers,
Askar
My server: WildFly v10.x
My goal is to simply use the logged-in-user’s ID/Username inbound from a ReST (JAX-RS) call.
I was able to get “resteasy.role.based.security” working (my mistake - forgot to set the parm back “on” during testing):
<context-param>
<description>turning on resteasy security. Note that this will not work for ejb</description>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
WildFly’s built-in auth works (i.e. application-roles.properties). I’m now just looking for access into Camunda’s existing auth infrastructure.
So, I can use Camunda’s filter:
<filter>
<filter-name>camunda-auth</filter-name>
<filter-class>
org.camunda.bpm.engine.rest.security.auth.ProcessEngineAuthenticationFilter
</filter-class>
<init-param>
<param-name>authentication-provider</param-name>
<param-value>org.camunda.bpm.engine.rest.security.auth.impl.HttpBasicAuthenticationProvider</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>camunda-auth</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
But, I’m not able to reference and use security annotations - example:
Noting:
myusergroup is in the Wildfly “application-roles.properties” file
mycamgroup is in Camunda’s group table
User’s not in “application-roles.properties” aren’t authorized (auth error from ReST ) call. But, those in wildfly group properties are allowed.
@GET
@Path("secureechoget/{hello}")
@RolesAllowed({"myusergroup","mycamgroup"})
@Produces(MediaType.APPLICATION_JSON)
public String secureEchoGet(@PathParam("hello") String hello,
@Context SecurityContext security) {
String loginName = security.getUserPrincipal().getName();
LOGGER.info("*** reviewContext - getName: " + loginName);
// assemble a basic JSON reply and return
String echoReply = "{\"logged in user\": \"" + loginName + "\"}";
return echoReply;
}
NOTE: I’m still working out the kinks… But, the basic question is, do I need a separate interceptor (examples on RedHat… etc)
I’ll leave the question up - but… I think I forgot to add/configure a new realm.
Thanks though.