I am trying to secure my REST API with BASIC authentication. I am doing this by defining roles within my web.xml and tomcat-users.xml like so:
web.xml
<servlet-mapping>
<servlet-name>Jersey REST Service</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<security-constraint>
<display-name>Secure REST Area</display-name>
<web-resource-collection>
<web-resource-name>Secure REST</web-resource-name>
<url-pattern>/rest/api/</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>UserDatabaseRealm</realm-name>
</login-config>
tomcat-users.xml
<role rolename="admin"/>
<role rolename="user"/>
<user username="admin" password="admin" roles="manager,admin,manager-gui"/>
<user username="user" password="user" roles="user"/>
The POST request that I am securing is annotated as follows:
@POST
@Path("/validate")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@RolesAllowed("admin")
public Response postRequest(Data inputData) throws FileIOException {
.
.
.
}
The request is secured, and I get a HTTP Status 401 – Unauthorized when I attempt to hit it, but after adding BASIC auth header with the 'admin' 'admin' username/password, I am still seeing the unauthorised message.
In Postman:
Is the role not configured correctly? Or am I attempting to add the Basic Auth header incorrectly?
Thanks for any help.
