0

My question is very similar to this question

I am trying to use JAX-RS framework with Jersey along with JSF. I understand I can run them both together on the same app but mapped to different locations (which I have now)

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
      <servlet-name>Rest Web Application</servlet-name>
      <url-pattern>/api/*</url-pattern>
  </servlet-mapping>

What I want to do is similar to this where users can access the REST API, but only get back data that they are allowed to see based on their role. For example, if they are a teacher they can go to foo.com/api/students and will only get a json response that holds students that are in their classes, not all students in the school.

My issue is that users login using foo.com/login.xhtml, which is under /*.xhtml, so their role is managed by the JSF session. I think this means that the REST API at /api/students has no way of knowing what user is logged in, who is trying to access it, and therefore what results it should display. It can't even redirect users who aren't logged in to the login page if they just put the url foo.com/api/students into their web browser, it can only display all of the students.

I hope I am mistaken in thinking this and there is a way to know who is logged in, protect my /api/students REST API from people that aren't logged in, and even return the right data based on their user role if they are logged in.

Please help me understand if what I am trying to do is possible. Thank you.

Community
  • 1
  • 1
  • 1
    as mentioned in the question your referred to (emphasis mine): _"And, to clear out a conceptual misunderstanding, **you don't and can't "implement REST in JSF" at all**. They are completely independent from each other. They can just easily run next each other in the same web application in all peace without knowing about each other. The only thing which they might share is the service layer. But that's usually it. The design of the service layer is in turn independent from who's using it."_. Second misconception: Sessions are not bound to JSF. – Kukeltje May 17 '16 at 19:40
  • So you actual question should be: "Can I access a JSF managed bean (no cdi?) from a jax-RS URL"... When you write: _"**I think** this means that the REST API ... has no way of knowing ..."_: Then my statement would be: did you try? – Kukeltje May 17 '16 at 19:42
  • As I am new to this technology, I am not sure how to try this. Clearly I have a lot of misconceptions about it. I will try looking for information somewhere else. Thanks for pointing out some of my misconceptions though, just wished you could say yes or no to if this is possible instead of answering my question with another question. –  May 17 '16 at 19:57
  • You need to configure JAX-RS security constraints independently from JSF. Just do as if JSF doesn't exist at all in the same webapp. Do note that JAX-RS authentication is normally request based, not session based. – BalusC May 17 '16 at 20:26

0 Answers0