CODEWITHSUNDEEP
tomcathttpsjax-rscxfservlet-filters
StvnBrkdll
StvnBrkdll

Reputation: 4044

How to reject non-https request with Apache cxf / jaxrs

What I need to do: I need to figure out how to reject any incoming http requests that are NOT over TLS (i.e. https). Ideally I would be able to return an http status of 404 (not found) if the request is NOT over https.

What my implementation looks like: I am implementing a REST service using Apache cxf / jaxrs. I am using Spring's IoC to create the service.

The service definition in the Spring application context file looks like this:

<jaxrs:server id="testSvc" address="/">
    <jaxrs:serviceBeans>
        <ref bean="svcBean"/>
    </jaxrs:serviceBeans>    
</jaxrs:server>

The service is running inside of Tomcat.

I am thinking of using a simple servlet filter or a jax-rs filter (e.g. something that extends javax.ws.rs.container.ContainerRequestFilter).

Is there a better way to do this?

Upvotes: 0

Views: 803

Answers (1)

pedrofb
pedrofb

Reputation: 39261

You can publish tomcat only on SSL/TLS, but I guest you can not do this, so you can detect if you are in a SSL session. To access the SSL session ID from the request, use:

//Tomcat 6
String sslID = (String)request.getAttribute("javax.servlet.request.ssl_session"); 

//Tomcat 7
String sslID = (String)request.getAttribute("javax.servlet.request.ssl_session_id");

See tomcat SSL documentation

Finally set a ContainerRequestFilter in CXF to access request parameters and abort response if needed

public class SSLFilter implements ContainerRequestFilter {

   public void filter(ContainerRequestContext context) {

       //get current httpservletRequest from CXFMessage
       Message message = JAXRSUtils.getCurrentMessage();
       HttpServletRequest request = (HttpServletRequest) message.get(AbstractHTTPDestination.HTTP_REQUEST);

       //Get SSL session ID
       String sslID = (String)request.getAttribute("javax.servlet.request.ssl_session"); 

      // finally use context.abortWith(Response) if you need to block the request 
       if (sslId == null){
           Response response =   Response.status(Response.Status.UNAUTHORIZED).build();
           context.abortWith(response);
       }
  }

Add the provider to you server

<bean id="sslFilter" class="SSLFilter">
<jaxrs:server id="testSvc" address="/">
   <jaxrs:providers>
      <ref bean="sslFilter" />
   </jaxrs:providers>
</jaxrs:server>

Upvotes: 2

Related Questions