Java Reference
In-Depth Information
String authHeader
=
request
.
getHeaderString
(
HttpHeaders
.
AUTHORIZATION
);
SecurityContext newSecurityContext
=
customProtocol
.
validate
(
authHeader
);
requestContext
.
setSecurityContext
(
authHeader
);
}
}
This filter leaves out a ton of detail, but hopefully you get the idea. It extracts the
Authoriz-
ation
header from the request and passes it to the
customProtocol
service that you have
written. This returns an implementation of
SecurityContext
. You override the default
Se-
curityContext
with this variable.
Client Security
The JAX-RS 2.0 specification didn't do much to define a common client security API.
What's weird is that while it has a stardard API for rarely used protocols like two-way SSL
with client certificates, it doesn't define one for simple protocols like . Instead, you have to
rely on the vendor implementation of JAX-RS to provide these security features. For ex-
ample, the RESTEasy framework provides a
ContainerRequestFilter
you can use to en-
able Basic Authentication:
import
import
org.jboss.resteasy.client.jaxrs.BasicAuthentication
org.jboss.resteasy.client.jaxrs.BasicAuthentication
;
Client client
=
Client
.
newClient
();
client
.
register
(
new
new
BasicAuthentication
(
"username"
,
"password"
));
You construct the
BasicAuthentication
filter with the username and password you want to
authenticate with. That's it. Other JAX-RS implementations might have other mechanisms
for doing this.
JAX-RS 2.0 does have an API for enabling two-way SSL with client certificates. The
Cli-
entBuilder
class allows you to specify a
java.security.KeyStore
that contains the client
certificate you want to use to authenticate:
abstract
abstract class
class
ClientBuilder
ClientBuilder
{
public
public
ClientBuilder
keyStore
(
final
final
KeyStore keyStore
,
final
final
String password
)
}
Alternatively, it has methods to create your own
SSLContext
, but creating one is quite com-
plicated and beyond the scope of this topic.