JAX-RS, how to prevent user A from accessing user B's restful resource

Question

I'm using JAX-RS on Glassfish to implement a set of resources, which can be accessed only by specific users.

Consider two users, userA and userB, both registered in my website.

1. userA created its own resource http://{localhost}/service/user/A;
2. userB created its own resource http://{localhost}/service/user/B;

Then Glassfish's default security implementation was configured as:

1. User Role can access /services/user/*
2. userA and userB are both in User Role.

So when logged in, both userA and userB can access to /service/user/A and /service/user/B.

Now the question, Is it possible that

• userA can only access /services/user/A, but not /services/user/B

and at the same time

• userB can only access /services/user/B, but not/services/user/A`

I think I must have missed something, because this is a common need I believe. Can anyone help?

Answer 1

That is something that you have to implement at the application level. The application server has no way to know about your security policy, which could be quite sophisticated. You could do it yourself (adding logic in User resource), and that might be the right approach if your security policy is simple. Otherwise, you should look at Spring Security, which can be integrated with JAX-RS. That will give you a lot of flexibility.