String authHeader = request . getHeaderString ( HttpHeaders . AUTHORIZATION );
SecurityContext newSecurityContext = customProtocol . validate ( authHeader );
requestContext . setSecurityContext ( authHeader );
This filter leaves out a ton of detail, but hopefully you get the idea. It extracts the Authoriz-
ation header from the request and passes it to the customProtocol service that you have
written. This returns an implementation of SecurityContext . You override the default Se-
curityContext with this variable.
The JAX-RS 2.0 specification didn't do much to define a common client security API.
What's weird is that while it has a stardard API for rarely used protocols like two-way SSL
with client certificates, it doesn't define one for simple protocols like . Instead, you have to
rely on the vendor implementation of JAX-RS to provide these security features. For ex-
ample, the RESTEasy framework provides a ContainerRequestFilter you can use to en-
able Basic Authentication:
Client client = Client . newClient ();
client . register ( new
new BasicAuthentication ( "username" , "password" ));
You construct the BasicAuthentication filter with the username and password you want to
authenticate with. That's it. Other JAX-RS implementations might have other mechanisms
for doing this.
JAX-RS 2.0 does have an API for enabling two-way SSL with client certificates. The Cli-
entBuilder class allows you to specify a java.security.KeyStore that contains the client
certificate you want to use to authenticate:
public ClientBuilder keyStore ( final
final KeyStore keyStore , final
final String password )
Alternatively, it has methods to create your own SSLContext , but creating one is quite com-
plicated and beyond the scope of this topic.