Jersey 2.x Security context does not work?

Question

While i am trying to create java jersey application authentication roles does not work for me.

Java code :-

package org.student.resource;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.ext.Provider;

@Path("/resource")
@PermitAll 
public class Resource {
@GET
public String get(){
    return "GET";
}

@RolesAllowed("admin")
@POST
public String post(){
    return "Post content.";
}

}

Deployment descriptor :-

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
id="WebApp_ID" version="3.1">
<display-name>JerseyAuthentication</display-name>
<servlet>
    <servlet-name>Application</servlet-name>
    <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>Application</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Resource</web-resource-name>
        <url-pattern>/resource/*</url-pattern>
        <http-method>GET</http-method>
    </web-resource-collection>
</security-constraint>
<welcome-file-list>
    <welcome-file>login.html</welcome-file>
</welcome-file-list>
 </web-app>

Headers :-

Cache-Control →private
Content-Language →en
Content-Length →1010
Content-Type →text/html;charset=utf-8
Date →Sat, 19 Sep 2015 08:14:18 GMT
Expires →Thu, 01 Jan 1970 05:30:00 IST
Server →Apache-Coyote/1.1

Kindly some help me to do this.i want to know assign roles to resources.

Answer 1

So three things you need to do

First..

Set up the security realm in Tomcat (I'm assuming that's the server by Server →Apache-Coyote/1.1). You can read more about creating realms at Realm Configuration HOW-TO.

The easiest realm to configure is the UserDatabaseRealm, but this is in no way recommended for production. It's just to get you up and running in development. All you need to do is go to the tomcat-users.xml file in ${TOMCAT_HOME}/conf. Then just edit the file it should look something like

<tomcat-users>
  <user username="Murugesan" password="secret" roles="admin" />
  <user username="peeskillet"  password="superSecret" roles="user"  />
</tomcat-users>

Second..

You still need to configure the web.xml a bit. You need to do a few things

1. Declare the roles allowed to use the application. You can put this below the </security-contraint>

   <security-role>
       <role-name>user</role-name>
   </security-role>
   <security-role>
       <role-name>admin</role-name>
   </security-role>
   

2. Declare the roles allowed to access the path defined in the <security-constraint>

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Protected Area</web-resource-name>
           <url-pattern>/api/protected/*</url-pattern>
           <http-method>GET</http-method>
       </web-resource-collection>
       <auth-constraint>
           <role-name>*</role-name>
       </auth-constraint>
   </security-constraint>
   

   Here we are saying that any authenticated user (*) with one of the declared roles is allowed through the servlet container security control on through to the Jersey application. Alternatively you can define the roles instead of *. This will cause the servlet container to handle the access control. But if you want more fine grained control, just let all authenticated users in, and handle the access control inside Jersey with the annotations like you are currently doing.

3. You need to define the <login-config> to declare what type of authentication. There are only three. FORM, DIGEST, BASIC. Here we will use BASIC, and also declare the realm in which the user are located.

   <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>UserDatabaseRealm</realm-name>
   </login-config>
   

   You can put this below the </security-role>

Lastly..

You just need to configure Jersey to handle the security annotations by registering the RolesAllowedDynamicFeature. You can do that in the web.xml

<servlet>
    <servlet-name>Application</servlet-name>
    <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
    <init-param>
        <param-name>jersey.config.server.provider.packages</param-name>
        <param-value>org.student.resource</param-value>
    </init-param>
    <init-param>
        <param-name>jersey.config.server.provider.classnames</param-name>
        <param-value>
            org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature
        </param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

See Also:

• Securing Web Applications for more information on configuring security in the web.xml