0

I use WildFly 16 and am doing some experiment on Java EE 8 Security API. I have a JAX-RS endpoint like this (with some definition in web.xml, jboss-web.xml):

@Path("/secured")
public class SecuredResource {

    @Inject
    private SecurityContext securityContext;

    @GET
    @Path("/greet")
    @RolesAllowed({"USER"})
    @Produces(MediaType.TEXT_PLAIN)
    public Response greet() {
        return Response.ok().entity("Hello " + securityContext.getCallerPrincipal().getName()).build();
    }
}

As I expected, requests which don't have the "USER" role don't reach the code there but those requests get http responses with the code 200. I want to return "401 Unauthorized" for those requests, not 200.

According to some document of RESTEasy, it's supposed to behave like that:

How does Resteasy do authorization? Well, its really simple. It just sees if a method is annotated with @RolesAllowed and then just does HttpServletRequest.isUserInRole. If one of the @RolesAllowed passes, then allow the request, otherwise, a response is sent back with a 401 (Unauthorized) response code.

But it's not like that in my case. How can I make it work that way?

This is the whole project of my experimental implementation. It also has a test case which shows my expectation. It can run with ./mvnw clean verify

Kohei Nozaki
  • 1,154
  • 1
  • 13
  • 36
  • Did you 1) configure the required `context-param`? 2) configure the required `security-contraints` and `security-roles`? These are _both_required according to the docs you linked to. – Paul Samsotha May 26 '19 at 17:01
  • Yes https://github.com/nuzayats/ee8security/blob/use_role/src/main/webapp/WEB-INF/web.xml – Kohei Nozaki May 26 '19 at 20:54
  • Look at the complete example web.xml from your link. It has a ``. I believe this is what's actually sets up the _authentication_. It says to use Basic Authentication and also declares the realm to use. You will have to configure the realm with your server. – Paul Samsotha May 26 '19 at 23:38
  • I knew that, but in my understanding, in Java EE 8 Security API, realms are not mandatory and roles are [handled here with HttpAuthenticationMechanism](https://github.com/nuzayats/ee8security/blob/use_role/src/main/java/ee8security/JwtHttpAuthenticationMechanism.java). Am I doing something wrong? – Kohei Nozaki May 27 '19 at 03:16
  • I'm just going off what the docs you linked to says. It does mention there are some quirks with their approach. Not sure what those quirks are. – Paul Samsotha May 27 '19 at 04:28

0 Answers0