Securing JAX-RS Web Services (Basic Authentication)
Mar 20
Securing JAX-RS web services is an easy thing specially when choosing the “Basic Authentication” option. Basic authentication is the simplest way to secure your REST web service. It involve sending a Base64-encoded username and password within a request header to the server. The server then checks to see if the username exists within its system and verifies the sent password.
I’ll show you how to secure REST web service assuming that you are using Jersey as a JAX-RS implementation and GlassFish as your application server. This is done by following these three steps:
- Enable HTTP Basic Authentication in your web.xml.
- Configuring Realm.
- Map user roles to GlassFish groups in sun-web.xml.
Now, Lets say we have a products web service, a class like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
import java.io.InputStream; import javax.ws.rs.Consumes; import javax.ws.rs.POST; import javax.ws.rs.Path; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @Path("/products") public class ProductResource { @POST @Consumes(MediaType.APPLICATION_XML) public Response addProduct(InputStream is) { // Code that add a product } } |
We need to make sure that only authenticated and authorized users can add new products. So we will start following these steps:
- Enable HTTP Basic Authentication in your web.xml
- security-constraint : defines access privileges to a collection of resources.
- url-pattern : The URL pattern you want to secure.
- http-method : Methods to be protected.
- auth-constraint : Names of the roles authorized to access the URL patterns and HTTP methods declared by this security constraint.
- login-config : defines how HTTP requests should be authenticated.
- auth-method : BASIC, DIGEST, or CLIENT_CERT.
- realm-name : Name of the database of users and groups that identify valid users of a web application.
- security-role : lists all of the security roles used in the application. For every <role-name> used in <auth-constraints> you must define a corresponding <security-role>
- Configuring Realm
- Map user roles to GlassFish groups in sun-web.xml
- security-role-mapping : Assigns security role to a group or user in Application Server realm
- role-name : The role used in the web.xml.
- group-name : Assign Group name from realm configuration.
This step tells your application server which methods should be secured and the allowed roles that can access the secured methods. Basically the web.xml will look like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <servlet> <servlet-name>Jersey REST Service</servlet-name> <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class> <init-param> <param-name>com.sun.jersey.config.property.packages</param-name> <param-value>com.felfelworld.demo.services</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Jersey REST Service</servlet-name> <url-pattern>/rest/</url-pattern> </servlet-mapping> <!-- Security config --> <security-constraint> <web-resource-collection> <web-resource-name>Secure Products</web-resource-name> <url-pattern>/rest/products/*</url-pattern> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>Only users can add products </description> <role-name>USERS</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>file</realm-name> </login-config> <security-role> <role-name>USERS</role-name> </security-role> </web-app> |
Here’s what each tag does:
If you don’t know what Realm is, Then you should take a look at this Overview of Authentication Realms. There is different options when working with the Realms. I’ll pickup the simplest one which is the File Realm. If you need to configure another type you can visit the Realm Configuration section in Oracle GlassFish Server 3.1 Application Development Guide.
Now to start working with File Realm you will find that GlassFish Server is preconfigured with it. To access its configuration and start adding users to it follow these images:
Remember the Assign Group as we will need it later:
Then we will add a new user to that group:
Now we need to edit the sun-web.xml file (create it if it’s not there). Here’s what it should looks like:
1 2 3 4 5 6 7 8 9 |
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd"> <sun-web-app error-url=""> <security-role-mapping> <role-name>USERS</role-name> <group-name>USERS</group-name> </security-role-mapping> </sun-web-app> |
That was all the needed configuration in order to start securing JAX-RS web services. The methods which we specified in the web.xml (POST) won’t get invoked without the created user credentials.
شكرا ياكبير وانا عملتها بال tomcat
You are welcome 🙂
Thank u every mutch 😛
Very gud post
Excelente aporte, muchas gracias.