CODEWITHSUNDEEP
javasecurityrest
user2743750
user2743750

Reputation: 29

How to add security in java restfull webservices

I am a restful web service provider. My services are used by some other third parties, so I have decided to add security to my services. When I was goggling I found some of the sites are providing role based access; i.e., authentication and authorization, other than JAAS. Is there any alternate?

Upvotes: 1

Views: 3678

Answers (1)

Daksh Shah
Daksh Shah

Reputation: 3113

You can secure your RESTful Web services using one of the following methods to support authentication, authorization, or encryption:

Securing RESTful Web Services Using web.xml

You secure RESTful Web services using the web.xml deployment descriptor as you would for other Java EE Web applications. For complete details, see "Developing Secure Web Applications" in Programming Security for Oracle WebLogic Server.

For example, to secure your RESTful Web service using basic authentication, perform the following steps:

  1. Define a <security-constraint> for each set of RESTful resources (URIs) that you plan to protect.

  2. Use the <login-config> element to define the type of authentication you want to use and the security realm to which the security constraints will be applied.

  3. Define one or more security roles using the <security-role> tag and map them to the security constraints defined in step 1. For more information, see "security-role" in Programming Security for Oracle WebLogic Server.

  4. To enable encryption, add the <user-data-constraint> element and set the <transport-guarantee> subelement to CONFIDENTIAL. For more information, see "user-data-constraint" in Programming Security for Oracle WebLogic Server.

For more details,

Example 5-1 Securing RESTful Web Services Using Basic Authentication

<web-app>
    <servlet>
        <servlet-name>RestServlet</servlet-name>
        <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>RestServlet</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
    <security-constraint>
         <web-resource-collection>
             <web-resource-name>Orders</web-resource-name>
             <url-pattern>/orders</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name> 
         </auth-constraint>
    </security-constraint>
        <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>default</realm-name>
        </login-config>
    <security-role>
        <role-name>admin</role-name>
    </security-role>
</web-app>

Securing RESTful Web Services Using SecurityContext

Example 5-2 Securing RESTful Web Service Using SecurityContext

package samples.helloworld;

import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.Context;

...

@Path("/stateless")
@Stateless(name = "JaxRSStatelessEJB")
public class StlsEJBApp {
...
        @GET
        @Produces("text/plain;charset=UTF-8")
        @Path("/hello")
        public String sayHello(@Context SecurityContext sc) {
                if (sc.isUserInRole("admin"))  return "Hello World!";
                throw new SecurityException("User is unauthorized.");
        }

Securing RESTful Web Services Using Annotations

Example 5-3 Securing RESTful Web Service Using SecurityContext

package samples.helloworld;

import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.annotation.Security.RolesAllowed;


@Path("/helloworld")
@RolesAllowed({"ADMIN", "ORG1"})
public class helloWorld {

   @GET
   @Path("sayHello")  
   @Produces("text/plain")
   @RolesAllows("ADMIN")
   public String sayHello() {
      return "Hello World!";
   }
}

Source

Upvotes: 3

Related Questions