12

I have a REST api written with JAX-RS, and I need to add authentication to it. So far all the information I've been able to find about it has suggestions for doing it via spring, which I'm not using. Is there something already existing, or would it be easy to write, something that will let me annotate either a method, or the entire class which would force auth headers to be present?

I'm using tomcat6 and jersey, if that matters.

Something like:

@Path("api")
public class Api {
    @GET
    @AuthenticationRequired
    public Response getInfo(...) {...}
}
Community
  • 1
  • 1
Daenyth
  • 35,856
  • 13
  • 85
  • 124

2 Answers2

6

I think you want import javax.annotation.Security.RolesAllowed;

The annotation itself looks like this

@Path("/helloworld")
@RolesAllowed({"ADMIN", "ORG1"})
public class helloWorld {

@GET
@Path("sayHello")  
@Produces("text/plain")
@RolesAllowed("ADMIN")
public String sayHello() {
   return "Hello World!";
}
}
thomas.mc.work
  • 6,404
  • 2
  • 26
  • 41
derdc
  • 1,081
  • 2
  • 7
  • 19
  • 1
    Reference: http://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#BABGBJAC – derdc Mar 13 '12 at 19:25
  • 2
    How do I define what the roles are and how they provide authentication? – Daenyth Mar 13 '12 at 19:25
  • That's specific to the application. Refer here for another Spring-less approach, defining them in web.xml http://docs.oracle.com/javaee/5/tutorial/doc/bncav.html – derdc Mar 13 '12 at 19:27
  • 2
    Thanks, I think the docs from your first comment should get me there. I guess I'm still not quite clear though - what do you mean by saying it's specific to the application? I don't know how to define them for the application. I see a @DeclareRoles annotation in the doc you linked, but I don't see how to tell it how the roles authenticate. Is that done in the web.xml file? – Daenyth Mar 13 '12 at 19:31
  • So are you not presently implementing role based security? Or do you have roles defined and just need to secure your RESTful URLs by the roles you already have? – derdc Mar 13 '12 at 19:35
  • Currently there's nothing at all relating to roles, or any security. I don't have any specific method in mind, just whatever will be reasonably secure and not too heavy to implement. – Daenyth Mar 13 '12 at 19:38
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/8837/discussion-between-derdc-and-daenyth) – derdc Mar 13 '12 at 19:41
3

I would manage security at the container level. Here's a good writeup if you happen to be using Apache CXF:

http://cxf.apache.org/docs/secure-jax-rs-services.html

And here's an example for Glassfish:

http://www.butonic.de/2010/06/18/a-simple-jax-rs-security-context-example-in-glassfish/

Here's one more link, which discusses JSR 250 annotations (e.g. @RolesAllowed):

http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/twbs_jaxrs_impl_securejaxrs_annotations.html

paulsm4
  • 114,292
  • 17
  • 138
  • 190
  • Last link looks dead. Seems to be a link farm. – Patrick M Jun 22 '15 at 17:59
  • @Patrick M - You're right: it looks like "ericonjava" let his domain registration lapse. Thank you for the "heads up". – paulsm4 Jun 22 '15 at 20:05
  • Here's a [wayback link](https://web.archive.org/web/20110318205916/http://www.ericonjava.com/?p=325) to the article. Looks legit. Unfortunately, my service is using Dropwizard, so that's Jersey on Jetty instead of Tomcat. Anyways, have a +1. – Patrick M Jun 23 '15 at 18:13