Securing RESTful Web Services
This post
describes how to secure Web services that conform to the Representational State
Transfer (REST) architectural style using Java API for RESTful Web Services
(JAX-RS).
We can secure the RESTful Web services using one of
the following methods
- Updating the web.xml deployment descriptor to define security configuration.
- Using the javax.ws.rs.core.SecurityContext interface to implement security programmatically.
- Applying annotations to your JAX-RS classes.
Securing RESTful Web Services Using web.xml
We secure RESTful Web services using the web.xml deployment descriptor as we would for other Java EE
Web applications.
To secure your RESTful Web service using basic
authentication, perform the following steps:
- Define a <security-constraint> for each set of RESTful resources (URIs) that you plan to protect.
- Use the <login-config> element to define the type of authentication you want to use and the security realm to which the security constraints will be applied.
- Define one or more security roles using the <security-role> tag and map them to the security constraints defined in step 1.
- To enable encryption, add the <user-data-constraint> element and set the <transport-guarantee> subelement to CONFIDENTIAL
<web-app>
<servlet>
<servlet-name>RestfulServlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RestfulServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Employees</web-resource-name>
<url-pattern>/employees</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
</web-app>
|
Securing RESTful Web Services Using SecurityContext
The javax.ws.rs.core.SecurityContext
interface provides access to security-related information for a request. The SecurityContext provides functionality
similar to javax.servlet.http.HttpServletRequest,
enabling you to access the following security-related information:
- java.security.Principal object containing the name of the user making the request.
- Authentication type used to secure the resource, such as BASIC_AUTH, FORM_AUTH, and CLIENT_CERT_AUTH.
- Whether the authenticated user is included in a particular role.
- Whether the request was made using a secure channel, such as HTTPS.
You access the SecurityContext by
injecting an instance into a class field, setter method, or method parameter
using the javax.ws.rs.core.Context annotation.
package com.rest.helloworld; import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.core.Context; ... @Path("/stateless") @Stateless(name = "JaxRSStatelessEJB") public class MyApp { ... @GET @Produces("text/plain;charset=UTF-8") @Path("/hello") public String sayHello(@Context SecurityContext sc) { if (sc.isUserInRole("admin")) return "Hello World!"; throw new SecurityException("User is unauthorized."); } |
Securing RESTful Web Services Using Annotations
The javax.annotation.security
package provides annotations, defined below, that you can use to secure your
RESTful Web services.
Restful Annotations |
package
com.rest.helloworld;
import
javax.ws.rs.GET;
import
javax.ws.rs.Path;
import
javax.ws.rs.Produces;
import
javax.annotation.Security.RolesAllowed;
@Path("/helloworld")
@RolesAllowed({"ADMIN",
"ORG1"})
public
class helloWorld {
@GET
@Path("sayHello")
@Produces("text/plain")
@RolesAllows("ADMIN")
public String sayHello() {
return "Hello World!";
}
}
|