I'm working on implementing a security model for some of our REST/JAX-RS
services. The basic goal is to allow/disallow certain REST actions based
on remote user, api endpoint, and endpoint parameters. For example, a user
might have the right roles to perform a certain action, but they are
restricted to performing the action against only certain objects.
I've looked at implementing a custom request handler, and a little at
Spring Security. The Spring Security authorization model seems like it
might work, but will require a lot of effort to integrate with our SSO
system, and have to build out an authorization system from scratch.
Are there any best practices or other examples for JAX-RS security in this
type of model?
-Greg
- Jax-RS & Authorization Models Greg Wittel
-
