Securing JAX-RS - RESTful Java with JAX-RS 2.0

Java Reference

In-Depth Information

method. You get access to a SecurityContext instance by injecting it into a field, setter

method, or resource method parameter using the @Context annotation.

Let's examine this security interface with an example. Let's say we want to have a security

log of all access to a customer database by users who are not administrators. Here is how it

might look:

@Path ( "/customers" )

public

public class

class CustomerService

CustomerService {

@GET

@Produces ( "application/xml" )

public

public Customer [] getCustomers ( @Context SecurityContext sec ) {

if ( sec . isSecure () && ! sec . isUserInRole ( "ADMIN" )) {

logger . log ( sec . getUserPrincipal () +

" accessed customer database." );

}

...

}

In this example, we inject the SecurityContext as a parameter to our getCustomer() JAX-

RS resource method. We use the method SecurityContext.isSecure() to determine

whether or not this is an authenticated request. We then use the method SecurityCon-

text.isUserInRole() to find out if the caller is an ADMIN or not. Finally, we print out to our

audit log.

With the introduction of the filter API in JAX-RS 2.0, you can implement the SecurityCon-

text interface and override the current request's SecurityContext via the Container-

RequestContext.setSecurityContext() method. What's interesting about this is that you

can implement your own custom security protocols. Here's an example:

import

import javax.ws.rs.container.ContainerRequestContext

javax.ws.rs.container.ContainerRequestContext ;

import

import javax.ws.rs.container.ContainerRequestFilter

javax.ws.rs.container.ContainerRequestFilter ;

import

import javax.ws.rs.container.PreMatching

javax.ws.rs.container.PreMatching ;

import

import javax.ws.rs.core.SecurityContext

javax.ws.rs.core.SecurityContext ;

import

import javax.ws.rs.core.HttpHeaders

javax.ws.rs.core.HttpHeaders ;

@PreMatching

public

public class

class CustomAuth

CustomAuth implements

implements ContainerRequestFilter {

protected

protected MyCustomerProtocolHandler customProtocol = ...;

public

public void

void filter ( ContainerRequestContext requestContext ) throws

throws IOException

{

RESTful Java with JAX-RS 2.0

Search WWH ::

Custom Search

Home