Menu
I am looking for some pointers on how to secure my rest root resource
@Path("/employee")
public class EmployeeResource {
@GET
@Produces("text/html")
public String get(
@QueryParam("name") String empname,
@QueryParam("sn") String sn) {
// Return a data back.
}
}
I have read post's regarding basic authetication and OAuth, I know the concept but i am looking for ways on how to implement it in code.
Thanks
475
Users of the REST API can authenticate by providing a user ID and password to the REST API login resource with the HTTP POST method. An LTPA token is generated that enables the user to authenticate future requests. This LTPA token has the prefix LtpaToken2 .
Spring Framework The REST capabilities are provided by the Spring MVC module (same module that provides model-view-controller capabilities). It is not a JAX-RS implementation and can be seen as a Spring alternative to the JAX-RS standard.
Declare an interceptor:
<bean id="securityInterceptor" class="AuthenticatorInterceptor">
<property name="users">
<map>
<entry key="someuser" value="somepassword"/>
</map>
</property>
Then use it:
<jaxrs:server address="/">
<jaxrs:inInterceptors>
<ref bean="securityInterceptor"/>
</jaxrs:inInterceptors>
(etc)
Then your AuthenticationInterceptor, along the lines of:
import java.util.Map;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.interceptor.Interceptor;
import org.springframework.beans.factory.annotation.Required;
public class AuthenticatorInterceptor extends AbstractPhaseInterceptor<Message> {
private Map<String,String> users;
@Required
public void setUsers(Map<String, String> users) {
this.users = users;
}
public AuthenticatorInterceptor() {
super(Phase.RECEIVE);
}
public void handleMessage(Message message) {
AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
if (policy == null) {
System.out.println("User attempted to log in with no credentials");
throw new RuntimeException("Denied");
}
String expectedPassword = users.get(policy.getUserName());
if (expectedPassword == null || !expectedPassword.equals(policy.getPassword())) {
throw new RuntimeException("Denied");
}
}
}
Defining acceptable credentials in a more convenient way is left as an exercise for the reader.
70
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
