I am registering a Servlet in an OSGi bundle using the HttpService. I have created my own HttpContext class which handles the security - BasicAuthentication and check against ActiveDirectory.
Dictionary<String, String> params = new Hashtable<String, String>();
params.put("jersey.config.server.provider.classnames", SettingsService.class.getName());
HttpContext ctx = new HttpContext()
{
@Override
public boolean handleSecurity(HttpServletRequest request, HttpServletResponse response) throws IOException
{
// validation against Active Directory here
return ADAuth.authenticate(request, response);
}
@Override
public URL getResource(String name)
{
return null;
}
@Override
public String getMimeType(String name)
{
return null;
}
};
httpService.registerServlet("/rest", new MyServlet(), params, ctx); //$NON-NLS-1$
httpService.registerResources("/web", "/web", null);
So far so good. I would now like to set roles for the logged-in used so that I can use the @RolesAllowed annotation. The roles will depend on Active Directory groups.
How do I set the roles? I have tried setting roles using
HttpSession session = request.getSession(true);
Subject subject = (Subject) session.getAttribute("javax.security.auth.subject");
if (subject == null) {
subject = new Subject();
subject.getPrincipals().add(new PlainRolePrincipal(groupName));
session.setAttribute("javax.security.auth.subject", subject);
}
but request.isUserInRole always returns false.
Update
When I step into request.isUserInRole I eventually get to this code:
if (_authentication instanceof Authentication.Deferred)
setAuthentication(((Authentication.Deferred)_authentication).authenticate(this));
if (_authentication instanceof Authentication.User)
return ((Authentication.User)_authentication).isUserInRole(_scope,role);
return false;
The _authentication value is null. When / where should this be set?
