Reputation: 53
Authentication and Authorization on a simple restful webservice
I developed a basic Restful Webservice in eclipse by using maven. I use tomcat 7.0 as a server, the SE 1.7 and jersey as my JAX-RS source, but I don't use JPA. I have a MySql DB and i connect to the DB with Connector J provided by MySql. I have a employee table and a deparment table in my DB and the suitable model classes for those tables. My webservice only provides get-methods that return the employees and deparmentinformation in the JSON format.
It works perfectly fine, but now I want the client to log in before gaining access to the webservice-methods.
The client is not set jet, but it should be a website, on my tomcat server that uses javascript and JQuery to interact with the webservice.
Now I want to add a authentication and authorization service to my webservice. This should check if the user is logged-in and has the permissions to ask for a defined employee or department. For example one of my get-methods is:
@GET
@Path("/employee/{id}")
@Produces(MediaType.APPLICATION_JSON)
public Employee getEmployee(@PathParam("id") long id) {
return EmployeeDBService.getDefinedEmployee(id);
}
and now it is called by the client with serverurl/myresource/employee/10 but the user logged in the client does not have the permission to ask for employee with the id 10.
I also want to add a feature that logs out the client after beeing a while inactive.
I have already searched for a good tutorial and technology to implement the authentication and authorization service to the webservice. But I wasn't really successful, because:
- I am new to developing Java restful webservices.
- And I found only examples that are implemented in a SOAP webservice and never read something about a automatical log-out after some time beeing inactive.
Does someone of you know good links / examples / technologies how to solve my problem?
If there a any question I will answer them. Thanks for your help and time!
Upvotes: 3
Views: 885
Answers (1)
Reputation: 3394
As commented, the security chapter in the Jersey documentation will show you how to integrate the authentication mechanism in your REST APIs: This part of the authentication will only check if the user is logged and who he is.
the user logged in the client does not have the permission to ask for employee with the id 10
JAX/RS does not know anything about your data model and their privileges. But he will give you its login. You must implement the logic on your own. Probably this will be the first line of each of your REST methods.
Upvotes: 1
Related Questions
- JAX-RS REST API Basic Authentication
- Rest Webservice Basic Authorization
- Java Rest Basic Authentication
- Implementing REST based authentication
- How to Handle Basic Authentication in java
- REST HTTP Authentication - How?
- How to authenticate users in Java(REST) app?
- REST Authentication
- Authentication in a RESTful web-service
- How to authenticate restful web service using oAuth