Auth0 Home Blog Docs

Secure JAXRS resource using Apache CXF & Auth0

apache
jwt
auth0
api

#1

Team, I’m trying to secure a JAXRS API using Apache CXF. I couldn’t find any promising examples yet. I tried to validate the token using AccessTokenValidatorClient and JwtAccessTokenValidator from CXF but it always results in the following error " javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized".


#2

To add to this - if I test using postman it just works fine.

POST https://xxxxxxx-1.auth0.com/userinfo

Bearer

But when validated using CXF JaxRs, it fails with the following error.

[2018-07-16 22:13:36.820 ] [DEBUG ] [35m6848 ] [— ] [[nio-8080-exec-1] ] [36mo.a.cxf.phase.PhaseInterceptorChain ] [: ] Invoking handleMessage on interceptor org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor@35de3571
[2018-07-16 22:13:36.821 ] [DEBUG ] [35m6848 ] [— ] [[nio-8080-exec-1] ] [36morg.apache.cxf.transport.http.Headers ] [: ] Accept: application/json
[2018-07-16 22:13:36.821 ] [DEBUG ] [35m6848 ] [— ] [[nio-8080-exec-1] ] [36morg.apache.cxf.transport.http.Headers ] [: ] Content-Type: application/x-www-form-urlencoded
[2018-07-16 22:13:36.821 ] [DEBUG ] [35m6848 ] [— ] [[nio-8080-exec-1] ] [36mo.apache.cxf.transport.http.HTTPConduit ] [: ] No Trust Decider for Conduit ‘{https://xxxxxx-1.auth0.com/userinfo}WebClient.http-conduit’. An affirmative Trust Decision is assumed.
[2018-07-16 22:13:37.345 ] [DEBUG ] [35m6848 ] [— ] [[nio-8080-exec-1] ] [36mo.apache.cxf.transport.http.HTTPConduit ] [: ] Sending POST Message with Headers to https://xxxxxx-1.auth0.com/userinfo Conduit :{https://xxxxxxx-1.auth0.com/userinfo}WebClient.http-conduit

[2018-07-16 22:13:37.454 ] [DEBUG ] [35m6848 ] [— ] [[nio-8080-exec-1] ] [36mo.a.cxf.phase.PhaseInterceptorChain ] [: ] Adding interceptor org.apache.cxf.jaxrs.client.WebClient$ClientAsyncResponseInterceptor@42a5d7e5 to phase unmarshal
[2018-07-16 22:13:37.455 ] [DEBUG ] [35m6848 ] [— ] [[nio-8080-exec-1] ] [36mo.a.cxf.phase.PhaseInterceptorChain ] [: ] Adding interceptor org.apache.cxf.jaxrs.client.spec.ClientResponseFilterInterceptor@4bc75c82 to phase pre-protocol-frontend
[2018-07-16 22:13:37.455 ] [DEBUG ] [35m6848 ] [— ] [[nio-8080-exec-1] ] [36mo.a.cxf.phase.PhaseInterceptorChain ] [: ] Chain org.apache.cxf.phase.PhaseInterceptorChain@2731a0e0 was created. Current flow:
pre-protocol-frontend [ClientResponseFilterInterceptor]
unmarshal [ClientAsyncResponseInterceptor]

[2018-07-16 22:13:37.456 ] [DEBUG ] [35m6848 ] [— ] [[nio-8080-exec-1] ] [36mo.a.cxf.phase.PhaseInterceptorChain ] [: ] Invoking handleMessage on interceptor org.apache.cxf.jaxrs.client.spec.ClientResponseFilterInterceptor@4bc75c82
[2018-07-16 22:13:37.456 ] [DEBUG ] [35m6848 ] [— ] [[nio-8080-exec-1] ] [36mo.a.cxf.phase.PhaseInterceptorChain ] [: ] Invoking handleMessage on interceptor org.apache.cxf.jaxrs.client.WebClient$ClientAsyncResponseInterceptor@42a5d7e5
[2018-07-16 22:13:37.483 ] [33m WARN ] [35m6848 ] [— ] [[nio-8080-exec-1] ] [36mo.a.c.j.i.WebApplicationExceptionMapper ] [: ] javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
at org.apache.cxf.jaxrs.utils.SpecExceptions.toNotAuthorizedException(SpecExceptions.java:94)
at org.apache.cxf.jaxrs.utils.ExceptionUtils.toNotAuthorizedException(ExceptionUtils.java:135)
at org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils.throwAuthorizationFailure(AuthorizationUtils.java:121)
at org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils.throwAuthorizationFailure(AuthorizationUtils.java:93)
at org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:117)
at org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter.validateRequest(OAuthRequestFilter.java:106)
at org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter.filter(OAuthRequestFilter.java:87)
at org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1657)
at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:109)
at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:78)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)