0

i want to build RESTful webservices using JAX-RS (Jersey + Jackson, Jackson for production of JSON).

I'm using Glassfish 4.0 as server and netbeans as the IDE.

The webservices are working fine but at the moment i don't have any authentication.

so now i'm thinking about the digest authentication which hashes the password, so that you never need to transmit the password in plain text. And additionally i want to use https, so that the data is encrypted.

I understood the theorie. But i have no idea how i can do this in Netbeans with Glassfish.

I saw some tutorials doing something in the admin-console of glassfish. But isn't there a way to do it just in netbeans? Can't i define a realm in netbeans which will be created when i deploy the application?

After creating the realm and stuff. I think i need to inject some kind of an authenticated "user"-Object in all my resources (WebServices). But i never did this before. And i'm looking for a good tutorial which describes how i can set up the digest authentication and the injection trough netbeans can do this with netbeans so that i can understand it well.

Laokoon
  • 1,241
  • 4
  • 24
  • 47

1 Answers1

5

Note: My answer does not cover the part of question related to using Netbeans to configure container authentication.

I understand that you need to implement only server side (you do not need a client part).

On the server there are two parts you need to solve: authentication and authorization.

Authentication

If you decide to use HTTP Basic Authentication, HTTP Digest Authentication or client certificate authentication, you will need to let Glassfish to perform the authentication. If you would like to use SSL for transport I would rather use HTTP Basic authentication. Passwords are sent in the clear text form but the communication is encrypted. The advantage is that this authentication is easier to implement for clients. To define HTTP Basic Authentication you can use web.xml of your application and define "security-constraint" and "login-config" tags. For example:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/rest/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>customer</role-name>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>my-defaul-realm</realm-name>
</login-config>

This is not a Glassfish specific solution; it will work on other application servers too. Container will perform authentication and this information will be accessible in your JAX-RS application in javax.ws.rs.core.SecurityContext.

Authorization

You can now use SecurityContext to extract user Principal, check the user role, etc. Additionally, Jersey provides feature to use annotations @RolesAllowed("...") and @PermitAll to define access to Resources (annotations are from javax.annotation.security package). You need to register RolesAllowedDynamicFeature into Jersey in order to enable processing of these annotations. You can for example define the following resource method:

@RolesAllowed("admin")
@GET
public String get() {
  return "admin private resource"; 
}

This will cause that only a user with the role "admin" will be able to execute the get() method.

You can check a Jersey documentation for more details (security chapter): https://jersey.java.net/documentation/latest/security.html

Miroslav Fuksa
  • 461
  • 3
  • 6