You can secure Java API for RESTful Web Services (JAX-RS) resources by using annotations that specify security settings.
This task assumes that you have developed the application and identified the JAX-RS resources that you want to secure using annotations for security.
You can choose to annotate at the class level or at the method level. The following rules govern the annotations for security:
@Path(value="/addresses")
@PermitAll
public class AddressBookResource {
@GET
@Produces(value="text/plain")
public String getList() {
}
@PUT
@RolesAllowed(“Manager”)
to public void updateList(String[] books) {
}
}
@Path(value="/addresses")
@PermitAll
@RolesAllowed(“Employee”)
public class AddressBookResource {
@GET
@Produces(value="text/plain")
public String getList() {
}
}
In the previous code example, the @RolesAllowed annotation takes precedence and the @PermitAll annotation is ignored. Similarly, if the @RolesAllowed annotation and @DenyAll annotation are both specified, the @DenyAll annotation takes precedence.
Similarly, if the @PermitAll and @DenyAll annotations are both specified at the method or at the class level, the @DenyAll annotation takes precedence as it ensures security by conforming to the safe default principle.
s@Path(value="/addresses")
@PermitAll
public class AddressBookResource {
@GET
@Produces(value="text/plain")
public String getList() {
}
@PUT
@RolesAllowed(“Administrator”)
public void updateList(String books) {
}
}
@Path(value="/addresses")
@PermitAll
public class LocalAddressBookResource
extends AddressBookResource {
@PUT
@RolesAllowed(“LocalAdministrator”)
@Path(value=”local”)
public void updateList(String books){
}
}
@RolesAllowed("role1")
@RolesAllowed("role2")
public String foo() {
}
using the following code snippet: @RolesAllowed({"role1", "role2"})
public String foo() {
}
Annotations for security follow the declarative security model. Security constraints that are configured in the deployment descriptor, the web.xml file, take precedence over security constraints that are programmatically annotated in the application. It is important for developers of JAX-RS resources to consider a balance across configurable security constraints and annotated security constraints. Annotated constraints are additional to any configured security constraints. The JAX-RS runtime environment checks for annotated constraints after the web container runtime environment has checked for security constraints that are configured in the web.xml file.
<web-app id="WebApp_someID">
<servlet>
<servlet-name>AddressBookAppSample</servlet-name>
<servlet-class>
org.apache.wink.server.internal.servlet.RestServlet
</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>jaxrs.sample.AddressBookApplication
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>AddressBookApp</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint id="SecurityConstraint_1">
<web-resource-collection id="WebResourceCollection_1">
<web-resource-name>AddressBookAppSample</web-resource-name>
<description>Protection area for Rest Servlet</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>Role1 for this rest servlet</description>
<role-name>Role</role-name>
</auth-constraint>
<user-data-constraint id="UserDataConstraint_1">
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role id="SecurityRole_1">
<description>This Role is used to drive authentication
</description>
<role-name>Role1</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>test realm</realm-name>
</login-config>
</login-config>
</web-app>
In the previous sample web.xml file, Role1 is used for the entire application. If you are only defining declarative security annotations and you are not using authorization constraints from the web.xml file, you can map this role for the JAX-RS application to the AllAuthenticated special subject for user authentication.
You have defined secure JAX-RS resources using declarative security annotations.
@Path(value="/addresses")
@PermitAll
public class AddressBookResource {
@GET
@Produces(value="text/plain")
public String getList() {
}
@RolesAllowed(“Administrator”)
@PUT
public void updateList(String books) {
}
}