1

I am using Java EE 6, this is the first time using jax-rs and I have this resource class but I do not have any idea why my session is not retrieved when accessing the service. Login works fine and principal can be retrieved in other parts of the application. 

@Path("/countries")
@Stateless
public class CountryResource {

    @Resource
    SessionContext ctx;

    @EJB
    private CityBean cityBean;

    @Path("/countryid/{countryid}")
    @GET
    @Produces("application/xml")
    public String getCountryByPk(@PathParam("countryid") Long tlCountryId){
        if(ctx != null){
            System.out.println(ctx.getCallerPrincipal());
        }

        String country;
        ...
        return country;
    }

This output to anonymous though I have logged in successfully. Before I tried using SessionContext I was trying to make the @RolesAllowed work but did not progress too. I also have the JaxRsActivator class. Anything I need to know about jax-rs pertaining to sessions?

@ApplicationPath("/rest")
public class JaxRsActivator extends Application {
}
Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
Mark DL
  • 45
  • 9

2 Answers2

0

As I see yours is a stateless application so sessions won't be used inherently. You have to explicitly add cookie or session identifier in the request response object to maintain the state of the application.

@Stateless
public class CountryResource {

Check this & this

Maintaining State manually

As you can see, with a traditional client-server application state is maintained automatically. It does not require any manual intervention on the part of the programmer. This is not the case with a stateless web application, but what manual steps are available to maintain state between requests?

Using arguments in the URL. This can lead to large and unmanageable URLs, and there is a limit to the maximum size of a URL. It also means that a user can edit a URL and effectively change state, with unpredictable results.

Using hidden fields in a form. This can lead to large forms which are therefore slower to transmit. Even though the data may be hidden in the rendered document it is still possible for the user to see it by using the browser's "view source" option. It is even possible for the user to edit the source and change some of the values before they are transmitted back to the server.

Using cookies. There is a limit to the amount of data which can be stored in a cookie, there is a limit to the number of cookies which can be active at any one time, and larger cookies will take longer to transit. Even worse, the client has the option to disable cookies altogether

Using files on the server. In PHP this ability is provided through a facility called sessions which allows data to be recorded either in a disk file or in a database table. The advantage here is that all data is maintained on the server, so nothing is transmitted to the client (except for a session name and id). It is therefore not possible for the client to view or edit this session data.

Community
  • 1
  • 1
underdog
  • 4,447
  • 9
  • 44
  • 89
0

First of all make sure that CountryResource class is deployed as EJB bean. Some application servers (e.g. JBoss EAP 6.x + RestEasy 2.x) has drawback that resfull resource could not be EJB bean out of the box. (How to enable it e.g. for JBoss EAP 6.x + RestEasy 2.x you could look at my another response: https://stackoverflow.com/a/35085385/466677)

Then check if principal(authentication info) is correctly propagated from web resource to EJB bean(SessionContext), E.g. for for JBoss EAP 6.x + RestEasy 2.x it could be realized by following changes in war file:

jboss-web.xml

<jboss-web>
    <security-domain>my-security-domain-name-in-jboss-configuration</security-domain>
</jboss-web>

web.xml - contains authentication declaration, in this case BASIC auth

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Resteasy auth</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>REST_USER</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>My Realm</realm-name>
</login-config>
<security-role>
    <role-name>REST_USER</role-name>
</security-role>
Community
  • 1
  • 1
Marek Gregor
  • 3,691
  • 2
  • 26
  • 28