What I want to do is to configure a REST service with basic authentication
and roles authorization using RESTEasy.
Currently, I am confused with the security configuration and I hope
someone can help me.
REST service : http://localhost:8080/xedu-web/rest/course/{1}
---------------------------------------------------------------
@Stateless
@Path("/course")
@PermitAll
public class CourseRestService {
@EJB
private CourseServices service;
@Inject
private ServiceContextServices serviceContextServices;
@GET
@Path("{id}")
// @RolesAllowed("users")
@Consumes({"application/vnd.ch.xpertline.xedu.data.interfaces+json",
"application/json", "application/xml"})
@Produces({"application/vnd.ch.xpertline.xedu.data.interfaces+json",
"application/json", "application/xml"})
public XEDUEICourseSingleResponse find(@PathParam("id") Integer id,
@QueryParam("serviceContext") EIServiceContext serviceContext) {
try {
serviceContextServices.setContext(serviceContext);
EISingleResponse<XEDUEICourse> ei = service.findEI(id);
return new XEDUEICourseSingleResponse(ei);
} catch (ConversionException ce) {
throw new BadRequestRestException(ce);
} catch (Exception e) {
throw new ComponentRestException(e);
}
}
}
web.xml
---------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";>
<display-name>xedu-web</display-name>
<context-param>
<param-name>resteasy.scan</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>resteasy.servlet.mapping.prefix</param-name>
<param-value>/rest</param-value>
</context-param>
<listener>
<listener-class>org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class>
</listener>
<servlet>
<servlet-name>Resteasy</servlet-name>
<servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Resteasy</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
</web-app>
Request filter:
---------------------------------------------------------------
@Provider
public class AuthenticationRequestFilter implements ContainerRequestFilter
{
@Override
public void filter(ContainerRequestContext ctx) throws IOException {
User user = null;
try {
String[] credentials = readCredentials(ctx);
String username = credentials[0];
String password = credentials[1];
user = authenticate(username, password);
} catch (AuthenticationException e) {
switch (e.getErrorCode()) {
case 401:
ctx.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
break;
case 403:
ctx.abortWith(Response.status(Response.Status.FORBIDDEN).build());
break;
}
}
// Set the custom security context
if (user != null)
ctx.setSecurityContext(new AppSecurityContext(user,
ctx.getUriInfo()));
}
...
}
The current (correct) behavior is the following:
- when I send a request with a valid credential (user1), the request
filter authenticates the user and the service returns the resource data.
- when I send a request without credentials, my request filter returns a
401 code.
- when I send a request with an unknown user, my filter returns a 403
code.
My question is : how to set up authorization on methods based on roles?
Users and roles are stored in an application database, not on JBoss.
Here's what I did and that did not work:
- I added the annotation @RolesAllowed("users") on my service method.
- I set a custom SecurityContext in my request filter that associates the
role "users" to the user "user1"
- I added and set the context-param "resteasy.role.based.security" to true
in web.xml.
The resulting behavior is that my filter is never called, and all requests
result in a 403 code.
It seems that the role is checked before calling my request filter, so
that the custom SecurityContext is not yet created.
Lately, I read in the documentation that we must not enable "
resteasy.role.based.security" if we use EJBs, and that is my case.
However, I didn't found any example or description about what to do in
that case.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Resteasy-users mailing list
Resteasy-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/resteasy-users
