Securing JAX-RS Web Services (Basic Authentication)

Mar 20

Securing JAX-RS web services is an easy thing specially when choosing the “Basic Authentication” option. Basic authentication is the simplest way to secure your REST web service. It involve sending a Base64-encoded username and password within a request header to the server. The server then checks to see if the username exists within its system and verifies the sent password.

I’ll show you how to secure REST web service assuming that you are using Jersey as a JAX-RS implementation and GlassFish as your application server. This is done by following these three steps:

  1. Enable HTTP Basic Authentication in your web.xml.
  2. Configuring Realm.
  3. Map user roles to GlassFish groups in sun-web.xml.

Now, Lets say we have a products web service, a class like this:

We need to make sure that only authenticated and authorized users can add new products. So we will start following these steps:

  1. Enable HTTP Basic Authentication in your web.xml
  2. This step tells your application server which methods should be secured and the allowed roles that can access the secured methods. Basically the web.xml will look like this:

    Here’s what each tag does:

    • security-constraint : defines access privileges to a collection of resources.
      • url-pattern : The URL pattern you want to secure.
      • http-method : Methods to be protected.
      • auth-constraint : Names of the roles authorized to access the URL patterns and HTTP methods declared by this security constraint.
    • login-config : defines how HTTP requests should be authenticated.
      • auth-method : BASIC, DIGEST, or CLIENT_CERT.
      • realm-name : Name of the database of users and groups that identify valid users of a web application.
    • security-role : lists all of the security roles used in the application. For every <role-name> used in <auth-constraints> you must define a corresponding <security-role>

  3. Configuring Realm
  4. If you don’t know what Realm is, Then you should take a look at this Overview of Authentication Realms. There is different options when working with the Realms. I’ll pickup the simplest one which is the File Realm. If you need to configure another type you can visit the Realm Configuration section in Oracle GlassFish Server 3.1 Application Development Guide.

    Now to start working with File Realm you will find that GlassFish Server is preconfigured with it. To access its configuration and start adding users to it follow these images:

    Accessing GlassFish admin from Eclipse

    Accessing GlassFish admin from Eclipse

    Accessing file realm conf in GlassFish

    Accessing file realm conf in GlassFish

    Remember the Assign Group as we will need it later:

    Assign group to file realm in GlassFish

    Assign group to file realm in GlassFish

    Then we will add a new user to that group:

    Manage Users for file realm in GlassFish

    Manage Users for file realm in GlassFish

    Add new user to file realm in GlassFish

    Add new user to file realm in GlassFish

    Add new user to file realm in GlassFish 2

    Add new user to file realm in GlassFish 2

  5. Map user roles to GlassFish groups in sun-web.xml
  6. Now we need to edit the sun-web.xml file (create it if it’s not there). Here’s what it should looks like:

    • security-role-mapping : Assigns security role to a group or user in Application Server realm
      • role-name : The role used in the web.xml.
      • group-name : Assign Group name from realm configuration.

    That was all the needed configuration in order to start securing JAX-RS web services. The methods which we specified in the web.xml (POST) won’t get invoked without the created user credentials.

5 comments

  1. Mohamed sokar /

    شكرا ياكبير وانا عملتها بال tomcat

  2. houssemzaier /

    Thank u every mutch 😛

  3. Very gud post

  4. Enrique /

    Excelente aporte, muchas gracias.

Leave a Reply