Hi,
----- Original Message -----
From: "Dabernig Josef" <[email protected]>
To: <[email protected]>
Sent: Friday, November 20, 2009 8:11 AM
Subject: HTTP Basic authentication in JAX-RS programmatically
hello,
i'm investigating in securing my RESTful webservice with HTTP Basic
authentication using the JAX-RS implementation of CXF.
i don't want to use spring, so i would prefer realizing the HTTP Basic
authentication using annotations and java-code only.
the manual states that one can check the HTTP security headers using a
RequestHandler
http://cxf.apache.org/docs/jax-rs.html#JAX-RS-CheckingHTTPsecurityheaders
how can i programmatically register my custom RequestHandler? would it be
possible to register a custom handler annotation-like - on a per-method
basis?
as i couldn't figure out, how-to register a RequestHandler in code, i
currently used the following approach:
use an AuthenticationInterceptor which extends JAXRSInInterceptor, similar
to the example from
http://chrisdail.com/2008/08/13/http-basic-authentication-with-apache-cxf-revisited/
You probably do not need to extend JAXRSInInterceptor when creating CXF in
interceptors for JAXRS services, but it might work
when creating the service, i register the interceptor:
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
...
sf.getInInterceptors().add(new AuthenticationInterceptor());
sf.create();
using this approach, i can't control if the service should use the
interceptor on a per-method basis...
You will probably be better off by registering a custom RequestHandler on
JAXRSServerFactoryBean, it has a setProviders method.
If you could use Spring then you'd be able to use RolesAllowed or Secured annotations, but without Spring, some code will be needed
in your custom RequestHandler in order to figure out the method name :
message.get(OperationResourceInfo.class).getMethodToInvoke()
I'm not sure I'd like to invest into letting users do custom securiry-related
annotations on individual methods...
hope it helps
thank you very much for your suggestions and best regards from vienna,
thanks, Sergey
josef
ps:
my more high-level goal, would be to use the http-basic authentication
against a user database. as REST should be stateless i suppose, that i
have to check every time, the use requests. currently i implement this,
checking the user database within the AuthenticationInterceptor. if
authentication succeeds, a AppUser objects will be stored within the
Message object, so my Service methods can access them using the
MessageContext. any suggestions on this approach?
Sure, this is one option. Perhaps you could have your inInterceptor or RequestHandler just checking the database itself ? And
blocking the execution if the check fails ?
-------------------------------
Powered by http://www.init7.net
