Menu
I am developing a REST application, which is using the Jersey framework. I would like to know how I can control user authentication. I have searched many places, and the closest article I have found is this: http://weblogs.java.net/blog/2008/03/07/authentication-jersey.
However this article can only be used with a GlassFish server and an attached database. Is there anyway that I can implement an interface in Jersey and use it as a filter before reaching the requested REST resource?
I want to use basic authentication right now, but it should be flexible enough such that I can change that at a later time.
731
Use of basic authentication is specified as follows: The string "Basic " is added to the Authorization header of the request. The username and password are combined into a string with the format "username:password", which is then base64 encoded and added to the Authorization header of the request.
x you can do this to authenticate each request with basic auth (preemptive mode): client. register(HttpAuthenticationFeature. basic(userName, password)); // rest invocation code ..
To add the authentication credentials, click Next. Login—Enter basic authorization user name of the REST API web service. Password—Enter the password of the basic authorization protocol. (Optional) If the REST API web service requires custom headers to establish a connection, in Headers, add the headers and the values.
Application credential requirements The client must create a POST call and pass the user name, password, and authString in the Request headers using the /x-www-form-urlencoded content type. The AR System server then performs the normal authentication mechanisms to validate the credentials.
I'm sucessfully using spring security for securing my Jersey-based API. It has pluggable authentication schemes allowing you to switch from Basic Auth to something else later. I'm not using Spring in general, just the security stuff.
Here is the relevant part from my web.xml
<listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/security-applicationContext.xml, /WEB-INF/applicationContext.xml </param-value> </context-param> <!-- Enables Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> <init-param> <param-name>targetBeanName</param-name> <param-value>springSecurityFilterChain</param-value> </init-param> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> You can leave applicationContext.xml empty (<beans></beans>). An example of the security-applicationContext.xml can be found here
53
I'm working on something similar to this. In my implementation, we have Apache httpd front-ended to handle HTTP Basic authentication and it simply forwards all requests with some header information containing the user and roles.
From that, I'm working on parsing these pieces out using a servlet filter to wrap the HttpServletRequest using a post I found on CodeRanch. This allows me to use the javax.annotation.security annotations like @RolesAllowed on each resource I want to filter. To get all of these pieces working, however, I had to add the following to my servlet in the web.xml:
<servlet> <!-- some other settings and such ... --> <init-param> <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name> <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value> </init-param> ... </servlet> You might find that Eric Warriner's answer on a recent post of interest: Jersey, Tomcat and Security Annotations
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
