Simple custom authenticator in JAX-RS

Question

In JAX-RS (or Jersey) REST service, I'm trying to make custom authentication for my users in database. Currently I have @GET annotated method which should interact with user asking for credentials just like it is done in Spring framework with authentication provider - no custom login form, just plain HTTP login with browser popup form.

Currently I can handle HTTP Basic Access Authentication provided in header, but I need to ask for credentials before accessing content interactively and then make token-based authentication on this base.

I have to keep the application light-weight but I don't know how can this "easy" task be done..

Edit: I found something in Wildfly configuration (I'm using 9 Final version) but I don't know how to use it for login using datasource..

Answer 1

If you already can handle HTTP Basic authentication, then you only need to get a a "login form" from the browser? We solved this by implementing an javax.ws.rs.ext.ExceptionMapper and overriding toResponse(Throwable ex). Our app throws a NotAuthenticatedException which gets mapped to javax.ws.rs.core.Response.Status.UNAUTHORIZED. Then we add a response header appropriately:

@Provider
public class RESTExMapper implements ExceptionMapper<Throwable>
{
    @Override
    public Response toResponse(Throwable ex)
    {
        //our application maps a not logged in exception to javax.ws.rs.core.Response.Status.UNAUTHORIZED in this Pair
        Pair<Integer, ObjectMap> ret = buildResponse( unwrap( ex));

        ResponseBuilder rb = Response.status( ret.left()).entity( ret.right()).type( "application/json");
        if( ret.left() == UNAUTHORIZED.getStatusCode())
            return rb.header( HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"YOUR SERVICE NAME\"").build();
        else
            return rb.build();
    }

The important part is setting the response header if the user is not logged in, that makes the browser display the HTTP Basic Login Dialog.