RolesAllowed Annotation in Jersey REST-Servlet not working

Question

I've got a web-app using Jersey3, Tomcat 10 and a DataSourceRealm from Tomcat for authentication.

Running a Servlet works smoothly, but the authorization seems not to take place, as every authenticated user can access resources even though the methods are annotated with @RolesAllowed

My controller looks like this:

@Path("/dataset")
public class DatasetController {

    @RolesAllowed({"1, 3"})
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    public Response getAllEntries(@DefaultValue("1") @QueryParam("state") int state) 

The web.xml looks like this:

  <!-- URL-Mappings -->
    <servlet-mapping>
        <servlet-name>Hello Word</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Entries REST Endpoint</servlet-name>
        <url-pattern>/api/*</url-pattern>
    </servlet-mapping>

    <!-- Security Roles -->
    <security-role>
        <role-name>1</role-name>
    </security-role>
    <security-role>
        <role-name>2</role-name>
    </security-role>
    <security-role>
        <role-name>3</role-name>
    </security-role>

    <!-- Login Config -->
    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

    <!-- Security Constraints-->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>REST Endpoint</web-resource-name>
            <url-pattern>/api/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>1</role-name>
            <role-name>2</role-name>
            <role-name>3</role-name>
        </auth-constraint>
    </security-constraint>

I've checked the SecurityContext while debugging, the users authenticated get the correct role, e.g. sc.isUserInRole("1/2/3") indicates that the authentication works fine. Roles have to be called 1,2,3 but this seems not to be an issue.

What am I missing? Thank you for any input!

Answer 1

So there are two different authorization mechanisms you can use: either the one provided by the Servlet container or the one provided by Jersey. With the one provided by the Servlet container, you configure all the roles and security in the web.xml. All the @RolesAllowed annotations do not work when using the Servlet container authorization.

Then you have the Jersey authorization. With Jersey, it will take the authenticated user from the Servlet container authentication, and it will do the authorization based on the @RolesAllowed annotations. If you want to use the Jersey authorization, all you need to do is register the RolesAllowedDynamicFeature.

To use Jersey's authorization, first remove all the authorization configuration you have in your web.xml. Then if you are using a ResourceConfig for your app configuration, just use the following to register the feature.

register(RolesAllowedDynamicFeature.class);

If you are using web.xml for your app configuration, then use the following init-param

<init-param>
  <param-name>jersey.config.server.provider.classnames</param-name>
  <param-value>org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature</param-value>
</init-param>

And that's pretty much it to get the authorization working.

To others coming across this post, just remember that the OP is using the Servlet container authentication. If you do this, then all you need to do is register the RolesAllowedDynamicFeature to get authorization. If you do not use the Servlet container authentication, then you need to implement your own authentication filter, where you will need to authenticate, then set the SecurityContext. Have a look at this post for more info.