CODEWITHSUNDEEP
authorizationjax-rsjersey-2.0tomcat8
paul
paul

Reputation: 13536

How to add dynamic authorization to JAX-RS service?

I am trying to secure REST services by adding authorisation. For example, all customers are allowed to call /rest/{custno}/machines/{machno} but they are only allowed to see the machines which they own.

I see that there are annotations like @RolesAllowed but that doesn't help in this case.

I have tried using Interceptors and this seemed to work on Websphere8.5 but is not working on Tomcat 7 or 8. The interceptor was able to get the customer info from the session and from the path and ensure that they are the same or that the user has admin rights. It was quite nice to be able to generate an overview using the annotations to see how each service is secured.

What is a typical approach to this kind of problem?

Upvotes: 1

Views: 312

Answers (1)

David Brossard
David Brossard

Reputation: 13834

You should use / which will provide you with

  1. An architecture
  2. A policy language (XACML or )
  3. A request/response protocol to query for authorization.

Let's start with the policy.

For example, all customers are allowed to call /rest/{custno}/machines/{machno} but they are only allowed to see the machines which they own.

In pseudo-policy, using ALFA, this would become

/**
 * Control access to machines
 */
policyset machines{
    target clause objectType == "machine"
    apply firstApplicable
    /**
     * View machines
     */
    policy viewMachines{
        target clause actionId == "view"
        apply firstApplicable
        /**
         * Users are only allowed to see the machines which they own.
         */
        rule usersCanViewTheirOwnMachines{
            permit
            condition machine.owner == username
        }
    }
}

The nice thing with this approach is that you need not write any code for this. All of the authorization logic is done inside the policy.

Now, let's talk architecture. You will need:

  1. an interceptor or policy enforcement point (PEP) which in your case would be a JAX-RS filter or interceptor. The interceptor will call out to the authorization service to verify the policies.
  2. an authorization service also known as a Policy Decision Point (PDP) which will process the request you sent against the policies it knows such as the one you just wrote.

Additional reading

Upvotes: 1

Related Questions