Geek Answers Handbook

Jersey Security

I have a lot of new things for web services. I exposed some REST services using Jersey 2 in integration with Spring. Now I need to protect these recreation services using authentication with username / password. I was told not to use Spring Security.

I do not know how to do that. I did a web search, but different links show a different implementation, and I cannot decide how to do this.

I know this is something vague, but please help in this context.

+4
source share
5 answers

. Authorization, Basic Base64Encoded(username:password). , peeskillet pass, I, ,

Authorization: Basic cGVlc2tpbGxldDpwYXNz

. web.xml. 48.2 - Java EE.

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

SSL. .

, .., , Basic Auth ContainerRequestFilter .

, jersey/examples/https-clientserver-grizzly. SecurityFilter

:

  • Authorization. , AuthenticationException. AuthenticationExceptionMapper "WWW-Authenticate", "Basic realm=\"" + e.getRealm() + "\", Basic Auth

  • , , Base64: password. , , . - , WebApplicationException, 400 Bad Request.

  • . , user, password, . - , AuthenticationException

  • , a user authenticate Authorizer ( SecurityContext). JAX-RS SecurityContext `.

, , @RolesAllowed . , RolesAllowedDynamicFeature.

, , SecurityContext . , , Authorizer, isUserInRole. @RolesAllowed({"ADMIN"}). , SecurityContext, , .

. , ( Firefox) , . cURL,

C:/>curl -v -u username:password http://localhost:8080/blah/resource

. - -v . API- , , . Base64 , .

SSL, , .

+11

:

spring spring Security ( Acegi). , .

, , spring . spring J2EE (Edit: , , )

, .

, REST. HTTP, :

  •   
  • BASIC  
  •   
  •   

REST "", ( ) BASIC, .

: . , URL- (, ), Digest - , , . ( ..), BASIC. BASIC SSL , , BASIC . BASIC HTTPS REST.

-, . , . , 401, auth . , 403. - , , .

+1

, . , , BASIC.

tomcat, realm, . JDBCRealm, server.xml web.xml. , , . .

+1

.

, , . , JavaScript .

, , - , , .

, /:

@Path("/login")
public class AuthenticationResource {

@POST
@Consumes("application/json")
public Response authenticate(Credentials credential) {
    boolean canBeLoggedIn = (...check in your DB or anywher you need to)

    if (canBeLoggedIn) {
        UUID uuid = UUID.randomUUID();
        Token token = new Token();
        token.setToken(uuid.toString());
        //save your token with associated with user
        (...)

        return Response.ok(token).type(MediaType.APPLICATION_JSON_TYPE).build();
    } else {
        return Response.status(Response.Status.UNAUTHORIZED).build();
    }
}

}

:

   @Path("/payment")
   @AuthorizedWithToken
   public class Payments {

    @GET
    @Produces("application/json")
    public Response sync() {
     (...)
    }

}

@AuthorizedWithToken. , , - @NameBinding

@NameBinding
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface AuthorizedWithToken {}

, :

@AuthorizedWithToken
@Provider
public class XAuthTokenFilter implements ContainerRequestFilter {

    private static String X_Auth_Token = "X-Auth-Token";

    @Override
    public void filter(ContainerRequestContext crc) throws IOException {
        String headerValue = crc.getHeaderString(X_Auth_Token);
        if (headerValue == null) {
            crc.abortWith(Response.status(Response.Status.FORBIDDEN).entity("Missing " + X_Auth_Token + " value").build());
            return;
        }

        if(! TOKEN_FOUND_IN_DB) {
            crc.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("Wrong " + X_Auth_Token + " value").build());
            return;
        }
    }
}

You can create any number of your own annotations that test various things in the http request and mix them. However, you need to pay attention to Priorities, but it is actually easy to find. This method requires use https, but it is obvious.

+1
source

More articles:


All Articles