Reputation: 231
Jersey 2.x Security context does not work?
While i am trying to create java jersey application authentication roles does not work for me.
Java code :-
package org.student.resource;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.ext.Provider;
@Path("/resource")
@PermitAll
public class Resource {
@GET
public String get(){
return "GET";
}
@RolesAllowed("admin")
@POST
public String post(){
return "Post content.";
}
}
Deployment descriptor :-
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
id="WebApp_ID" version="3.1">
<display-name>JerseyAuthentication</display-name>
<servlet>
<servlet-name>Application</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Application</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Resource</web-resource-name>
<url-pattern>/resource/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<welcome-file-list>
<welcome-file>login.html</welcome-file>
</welcome-file-list>
</web-app>
Headers :-
Cache-Control →private
Content-Language →en
Content-Length →1010
Content-Type →text/html;charset=utf-8
Date →Sat, 19 Sep 2015 08:14:18 GMT
Expires →Thu, 01 Jan 1970 05:30:00 IST
Server →Apache-Coyote/1.1
Kindly some help me to do this.i want to know assign roles to resources.
Upvotes: 4
Views: 2148
Answers (1)
Reputation: 209092
So three things you need to do
First..
Set up the security realm in Tomcat (I'm assuming that's the server by Server →Apache-Coyote/1.1). You can read more about creating realms at Realm Configuration HOW-TO.
The easiest realm to configure is the UserDatabaseRealm, but this is in no way recommended for production. It's just to get you up and running in development. All you need to do is go to the tomcat-users.xml file in ${TOMCAT_HOME}/conf. Then just edit the file it should look something like
<tomcat-users>
<user username="Murugesan" password="secret" roles="admin" />
<user username="peeskillet" password="superSecret" roles="user" />
</tomcat-users>
Second..
You still need to configure the web.xml a bit. You need to do a few things
Declare the roles allowed to use the application. You can put this below the
</security-contraint><security-role> <role-name>user</role-name> </security-role> <security-role> <role-name>admin</role-name> </security-role>Declare the roles allowed to access the path defined in the
<security-constraint><security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/api/protected/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint>Here we are saying that any authenticated user (
*) with one of the declared roles is allowed through the servlet container security control on through to the Jersey application. Alternatively you can define the roles instead of*. This will cause the servlet container to handle the access control. But if you want more fine grained control, just let all authenticated users in, and handle the access control inside Jersey with the annotations like you are currently doing.You need to define the
<login-config>to declare what type of authentication. There are only three.FORM,DIGEST,BASIC. Here we will useBASIC, and also declare the realm in which the user are located.<login-config> <auth-method>BASIC</auth-method> <realm-name>UserDatabaseRealm</realm-name> </login-config>You can put this below the
</security-role>
Lastly..
You just need to configure Jersey to handle the security annotations by registering the RolesAllowedDynamicFeature. You can do that in the web.xml
<servlet>
<servlet-name>Application</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>org.student.resource</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.provider.classnames</param-name>
<param-value>
org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
See Also:
- Securing Web Applications for more information on configuring security in the web.xml
Upvotes: 3
Related Questions
- @RolesAllowed is not working with custom SecurityContext in Jersey?
- Spring Security @PreAuthorize breaks Jersey @Context UriInfo injection
- RolesAllowed Annotation in Jersey REST-Servlet not working
- Jersey custom SecurityContext on EJB jax-rs resource
- Jersey, Tomcat and Security Annotations
- SecurityContext doesn't work with @RolesAllowed
- Authorization in jersey framework
- JAX-RS custom SecurityContext leads to wrong error code in Jersey
- Trying Spring Security with Jersey What is wrong with my security-context.xml file?
- Unable to retrieve security context from within Spring-Jersey