JAX-RS: How to secure REST endpoints?

Question

I am using JBoss AS and JAX-RS for creating REST endpoints.

Lets say my class looks like

@Path("/users")
public class UserResource {


  @GET
  public Response getAccount() {
    return "hello";
  }
}

Now getAccount is not authenticated at the moment

Wanted
- I would like to add authentication so that when code hits getAccount the user is authenticated
- I would like the authentication to be driven by annotations instead of XML configurations, if at all possible
- I would like to do the database comparison to see if the user is valid

Problem
- I have never done that so I have no idea how to implement it
- I have googled around a lot and found Jersey examples

UPDATE
- I would like to send authentication credentials with each request and not creating any session

Please guide me with one simple working example and I would try to extend from there

Answer 1

You need is a Stateless Spring Security configuration in front of your JAX RS end points. I have addressed exact problem you are trying to solve but I don't have my own code to share..

Here is one project which has done the exact thing you are asking, Some wise man has done it all for you ;)

https://github.com/philipsorst/angular-rest-springsecurity

What is the magic ?

1. You have one unprotected URL which does the Authentication, and set the user roles as well..
2. Then you return some kind of Token, put it some where in cache which will be expected on every subsequent call..
3. Upon new request on other protected resources, you will check if the Token is present in your cache/session store ( you need some mechanism to keep track of valid tokens )
4. If token is resent and valid, you do the programmatic Log-in in Spring Security which ensures that you can use all the Security features spring provides, ( Annotations, JSTL Tags etc.. ) !
5. Once passed token validation you will get the logged in user details in your controllers ( aka JAX RS resources ) to deal with security further..
6. If the token was not valid or not present , it would be trapped by failure end point which would return appropriate response ( 401 )

Refer Following Link To Understand How Stateless Spring Security is configured.., https://github.com/philipsorst/angular-rest-springsecurity/blob/master/src/main/resources/context.xml

See how a user is validated for the first time and a token is generated.. https://github.com/philipsorst/angular-rest-springsecurity/blob/master/src/main/java/net/dontdrinkandroot/example/angularrestspringsecurity/rest/resources/UserResource.java

Here is the class where programmatic login is performed on every request after token check.. https://github.com/philipsorst/angular-rest-springsecurity/blob/master/src/main/java/net/dontdrinkandroot/example/angularrestspringsecurity/rest/AuthenticationTokenProcessingFilter.java