I'm trying to migrate a JAX-RS application from Jersey to Apache CXF. I'm not using Spring, so I'm trying to configure it by extending javax.ws.rs.core.Application.
I also implemented
public class RolesAllowedCXFFeature implements Feature {
@Override
public boolean configure(FeatureContext featureContext) {
SecureAnnotationsInterceptor interceptor = new SecureAnnotationsInterceptor();
featureContext.register(interceptor);
SimpleAuthorizingFilter f = new SimpleAuthorizingFilter();
f.setInterceptor(interceptor);
featureContext.register(f);
return true;
}
public static Object createAuthFilter() {
SimpleAuthorizingFilter f = new SimpleAuthorizingFilter();
f.setInterceptor(new SecureAnnotationsInterceptor());
return f;
}
}
and returned it in the getSingletons() method of the aforementioned Application.
The issue is that the methods annotated with @RolesAllowed do not seem to work.
In Jersey was enough to return new RolesAllowedDynamicFeature() from Application#getSingletons() and methods were secured.
My opinion, from looking at the code, is that SecureAnnotationsInterceptor does not automatically pick up all the classes annotated with @Path, so you will have to register them yourself with the interceptor using SecureAnnotationsInterceptor#setSecuredObject.