This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.
Implementation of secure JAX-RS applications
The JAX-RS 1.1 runtime environment from IBM® is
driven by a servlet derived from the Apache Wink project. The JAX-RS 2.0 runtime environment is driven by a servlet derived from the Apache CXF 3.0.2.
Within the WebSphere® Application Server environment, the lifecycle of servlets is
managed in the web container. Therefore, the security services offered by the web container are
applicable to REST resources that are deployed in WebSphere Application Server.
You can define and add security constraints on the REST resources using the same tools that is
used to assemble REST applications. These constraints are captured in the J2EE web deployment
descriptor that is associated with your application. The following list describes security
definitions that you can include in the deployment descriptor:
- User authentication when invoking REST resources embodied in the application, including
- HTTP basic authentication.
- Form login authentication.
- Authorization control over REST resources as defined by the URL patterns for the resources.
- Use of SSL for transport when invoking REST resources.
- Programmatic use of the SecurityContext object to determine user identity and roles.
For more information, see:
- Securing JAX-RS applications within the web container
- Securing JAX-RS resources using annotations
- Securing downstream JAX-RS resources
Note: In Liberty, the default context root is the name of the WAR file. For more information
about options when configuring context roots, see Deploying a web application to Liberty.