Java Reference
In-Depth Information
@Path
(
"/customers"
)
public
public class
class
CustomerService
CustomerService
{
@GET
@Produces
(
"application/xml"
)
@RolesAllowed
(
"XML-USERS"
)
public
public
Customer
getXmlCustomers
() {}
@GET
@Produces
(
"application/json"
)
@RolesAllowed
(
"JSON-USERS"
)
public
public
Customer
getJsonCustomers
() {}
}
Here we only allow
XML-USERS
to obtain
application/xml
content and
JSON-USERS
to ob-
tain
application/json
content. This might be useful for limiting users in getting data
formats that are expensive to create.
Programmatic Security
The security features defined in this chapter have so far focused on declarative security
metadata, or metadata that is statically defined before an application even runs. JAX-RS also
has a small programmatic API for gathering security information about a secured request.
Specifically, the
javax.ws.rs.core.SecurityContext
interface has a method for determ-
ining the identity of the user making the secured HTTP invocation. It also has a method that
allows you to check whether or not the current user belongs to a certain role:
public
public interface
interface
SecurityContext
SecurityContext
{
public
public
Principal
getUserPrincipal
();
public
public
boolean
boolean
isUserInRole
(
String role
);
public
public
boolean
boolean
isSecure
();
public
public
String
getAuthenticationScheme
();
}
The
getUserPrincipal()
method returns a standard Java Standard Edition (SE)
javax.security.Principal
security interface. A
Principal
object represents the indi-
vidual user who is currently invoking the HTTP request. The
isUserInRole()
method al-
lows you to determine whether the current calling user belongs to a certain role. The
isSe-
cure()
method returns true if the current request is a secure connection. The
getAuthenticationScheme()
tells you which authentication mechanism was used to secure
the request.
BASIC
,
DIGEST
,
CLIENT_CERT
, and
FORM
are typical values returned by this