wow. stop! backup a little. authentication and authorisation is the responsibility of shiro via the org.apache.shiro.web.servlet.ShiroFilter
exposing web service endpoints is the responsibility of jersey via com.sun.jersey.spi.container.servlet.ServletContainer servlet if you use shiro, they you don't need any security-constraint in your servlet. i recommend you clone this project. https://github.com/dominicfarr/skybird-shiro it has a working authenticated jersey endpoint. On 19 March 2014 16:31, onelazyguy <[email protected]> wrote: > Yes! at the moment I only have one service that do the login but I am > working > on more web services and those services need to be secure meaning before > users can consume any web services, Java code or web.xml configured so that > if user does not have the role or permission then either redirect or > through > error page. On the Oracle page that I posted above shows what I would like > to achieve but it is not a complete tutorial so I am still trying to figure > it out. > > > *web.xml configuration:* > <web-app> > <servlet> > <servlet-name>RestServlet</servlet-name> > > > <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class> > </servlet> > <servlet-mapping> > <servlet-name>RestServlet</servlet-name> > <url-pattern>/*</url-pattern> > </servlet-mapping> > <security-constraint> > <web-resource-collection> > <web-resource-name>Orders</web-resource-name> > <url-pattern>/orders</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>admin</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>default</realm-name> > </login-config> > <security-role> > <role-name>admin</role-name> > </security-role> > </web-app> > > > *securing RESTful service:* > import javax.ws.rs.GET; > import javax.ws.rs.Path; > import javax.ws.rs.Produces; > import javax.ws.rs.core.SecurityContext; > import javax.ws.rs.core.Context; > > ... > > @Path("/stateless") > @Stateless(name = "JaxRSStatelessEJB") > public class StlsEJBApp { > ... > @GET > @Produces("text/plain;charset=UTF-8") > @Path("/hello") > public String sayHello(@Context SecurityContext sc) { > if (sc.isUserInRole("admin")) return "Hello World!"; > throw new SecurityException("User is unauthorized."); > } > > I am not sure how to do it here...Do I just inject SecurityContext and it > will magically work? > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/How-to-get-the-user-session-using-apache-shiro-with-jersey-RESTful-tp7579771p7579794.html > Sent from the Shiro User mailing list archive at Nabble.com. >
