Call REST service while impersonating a user that is already authorized to the glasfish server

Question

There are two web-applications deployed on a glassfish server.
Both web applications provide a REST web service.
the access to both web-services is secured via glassfish security constraints (at the moment BASIC Auth and file-realm).

Let's say a user is accessing the service of web application A. After he is authorized, service A wants to call service B via REST client.

Is there a way for a service to impersonate a user that is already authorized to the glasfish server? Maybe something like forwarding the security context or editing the headers? Is there another Filter?

@Context
private SecurityContext securityContext;

username = securityContext.getUserPrincipal().getName();
password = ???    

client.addFilter(new com.sun.jersey.api.client.filter.HTTPBasicAuthFilter(username, password));

Thanks!

Olivier Liechti · Accepted Answer · 2012-12-16T08:30:31.857

0

It will depend on the authentication scheme, but in some cases you could consider extracting the Authorization header received by Service A and pass it to Service B. That would work with basic authentication.

You should be able to use @HeaderParam to do that, like in the following snippet:

@GET
@Path("/resourceA")
public void doSomething(@HeaderParam("Authorization") String authorization) {
  // now I can call resourceB and use 'authorization'
}

edited Dec 16 '12 at 08:30

answered Dec 13 '12 at 10:33

Olivier Liechti

3,138
2
19
26

Basic works for me! Could you tell me how? Maybe with a code example? I couldn't find something like that. Thanks! – Matthias Dec 13 '12 at 16:37
Thanks! this worked for me! (I don't have enough Reputation to "vote-up" yet. Sorry – Matthias Dec 17 '12 at 14:25

Call REST service while impersonating a user that is already authorized to the glasfish server

1 Answers1