1

I have exposed some rest api using Jersey 2(Tomcat server) and successfully implemented Basic authentication(only needed authentication stuff not authorization) using ContainerRequestFilter filter as below

public class AuthFilter implements ContainerRequestFilter{

    @Context
    HttpServletRequest request;

    @Override
    public void filter(ContainerRequestContext context)  {
     ............................
     //getting username/password authorization header and validating

When I told the same to my Lead, he said don't use filters as every time your rest api is hit, this filter will get invoked.Therefore, implement basic authentication security at container level.I am using Tomcat server. In web.xml, this is defined

<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>

Is the above he is referring to? Can anyone please guide me how to implement the way my lead is saying?

Anand
  • 20,708
  • 48
  • 131
  • 198

1 Answers1

2

The documentation gives you examples on how to configure this via web.xml. You'll need to configure this using a login-config that belongs to a realm. The web container then takes care of securing resources based on URL patterns.

  • Note that the data is sent in plain text (in encoded form) via a HTTP header, so you'll need to think of ways to ensure that is not snooped on (like HTTPS).
  • Whether you check this header on a filter or on the container does not relieve you of the overhead required for making the check (which is probably negligible, but I've never profiled this area of the code to quote numbers).
svarog
  • 9,477
  • 4
  • 61
  • 77
Deepak Bala
  • 11,095
  • 2
  • 38
  • 49
  • What is realm here? Also, to clarify I only need to do authentication part not authorization. – Anand Feb 19 '15 at 05:51
  • A realm can be a file based or database based authentication store. `tomcat-users.xml` is an XML based file realm. – Deepak Bala Feb 19 '15 at 06:12
  • How to use database based authentication? In conf/server.xml, do i need to create realm? Also, what realm name should be given in web.xml? – Anand Feb 19 '15 at 06:23
  • Take a look at [DataSourceRealm](http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#DataSourceRealm). You can choose any realm name. – Deepak Bala Feb 19 '15 at 06:38
  • I successfully implemented it..on hitting a rest api, dialog box pops up that asks for credentials..but i don't want it rather i want to send authorization header using some rest tool like postman, advanced rest client etc...Can u please tell me how to do that? – Anand Feb 19 '15 at 07:14
  • I can answer that, but the comments section cannot hold it in a format that will make sense for other readers. Ask that as a separate question on SO, so everyone can benefit from it. – Deepak Bala Feb 19 '15 at 07:23
  • I have done it using rest client tools also..thank you for the guidance..one thing would like to ask you..i mean what is the difference between these two approaches..filter and realm..which one is better??..as per my lead, filter gets invoked for every request which i think is same for realm also which will check against the database for every rest api call...so what's the difference – Anand Feb 19 '15 at 08:59
  • The difference is that you let the container handle auth Vs letting the filter handle the auth. They're equally expensive. The container auth mechanism can be applied across apps, so that configuration is re-usable. – Deepak Bala Feb 19 '15 at 09:41