Reputation: 8695
HTTP basic authentication for JAX-RS without web.xml
I'm implementing a REST service within an EJB-JAR within an EAR running on the JBoss EAP 7.1.
The unsecured version of the service works fine, but adding even basic HTTP-authentication turned out to be a challenge, since within an EJB-JAR I found no way to specify any required web.xml-entries, like <auth-method>BASIC</auth-method>
So my question is:
How can I configure JAX-RS to use HTTP authentication within an EJB-JAR?
Additional information:
To make things simpler I use default ManagementRealm like this
<security-domain name="my-security-domain" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmDirect" flag="required"> <module-option name="realm" value="ManagementRealm"/> </login-module> </authentication> </security-domain>In EJB-jar:
@Stateless @Path("/my-rest") @SecurityDomain(value = "my-security-domain") @DenyAll public class MyRestStatelessBean { @PUT @RolesAllowed("admin") @Path("/doAdminStuff") public void doAdminStuff() { // Implementation } }
Upvotes: 0
Views: 499
Answers (1)
Reputation: 8695
The solution was to use the Proactive authentication feature of the Undertow, that is actually ON by default. Specifying HTTP-BASIC-Authentication header within the request, makes Undertow to try to login the user even through my REST service due to missing web.xml doesn't require any type of authentication.
My complete configuration (using Management JBoss users from mgmt-users.properties):
# Define my security domain
/subsystem=security/security-domain=MY-SECURITY-DOMAIN:add(cache-type=default)
# Link Untertow to Elytron for authentication
/subsystem=undertow/application-security-domain=MY-SECURITY-DOMAIN:add( \
http-authentication-factory="management-http-authentication" \
)
# Add BASIC-HTTP-Authentication support to Elytron
/subsystem=elytron/http-authentication-factory=management-http-authentication:list-add( \
name=mechanism-configurations, \
value={mechanism-name="BASIC", \
mechanism-realm-configurations=[{realm-name="ManagementRealm"}] \
} \
)
# Not sure, why is this required...
/subsystem=ejb3/application-security-domain=MY-SECURITY-DOMAIN:add( \
security-domain="ManagementDomain")
Upvotes: 2
Related Questions
- JAX-RS REST API Basic Authentication
- simple jax-ws-webservice with basic authentication
- JAX-WS: SOAP: implement server Basic Authentification with JRE only
- Simple custom authenticator in JAX-RS
- Wildfly 8 Basic Authentication
- Wildfly web.xml security constraint blocking basic auth header for JAX-RS methods using ContainerRequestFilter
- JAX-RS: REST Client for Basic HTTP Authentication
- HTTP Basic Authentication in Restlet with a JAXRS Application?
- How to do Rest Authentication with JAX-RS
- HTTP Basic Authentication in JBoss 4?