JAX-RS and custom authorization

Question

I'm trying to secure the JAX-RS endpoint and am currently trying to figure out how the authentication and authorization work. Most examples are quite simple as they only piggyback from Java EE App-Server role via web.xml.

I'm wondering how to use something else than the Java EE AS roles. For example: I'd like to use session or some sort of token (or some sort of identifier).

Answer 1

It all depends upon the JAX-RS implementation you're using. I'm using Jersey on embedded Jetty .

SecurityHandler sh = new SecurityHandler();

// the UserRealm is the collection of users, and a mechanism to determine if
// provided credentials are valid
sh.setUserRealm(new MyUserRealm());

// the Authenticator is a strategy for extracting authentication credentials
// from the request. BasicAuthenticator uses HTTP Basic Auth
sh.setAuthenticator(new BasicAuthenticator());

See How to Configure Security with Embedded Jetty

Once you have the Principal in the HttpServletRequest , you can inject these into the context of the JAX-RS request.

public abstract class AbstractResource {
    private Principal principal;
    @Context
    public void setSecurityContext(SecurityContext context) {
        principal = context.getUserPrincipal();
    }
    protected Principal getPrincipal() {
        return principal;
    }
}

@Path("/some/path")
public class MyResource extends AbstractResource {
    @GET
    public Object get() {
        Principal user = this.getPrincipal();
        // etc
    }
}

Answer 2

Disclaimer: Don't role your own security framework unless you really, really, really, need one.

Look at what the OAuth filter in Jersey does. It reads the Authorization header which holds credentials in a different format than those normally understood (HTTP Basic). It'll turn those credentials into roles which you can then use to implement security (@RolesAllowed) if you add in the Roles Allowed Filter which does the actually enforcement. Try looking at how those filters work.