Securing Restful Web Services
This post describes how to secure Web services that conform to the Representational State Transfer (REST) architectural style using Java API for RESTful Web Services (JAX-RS).
We can secure the RESTful Web services using one of the following methods
- Updating the web.xml deployment descriptor to define security configuration.
- Using the javax.ws.rs.core.SecurityContext interface to implement security programmatically.
- Applying annotations to your JAX-RS classes.
Securing RESTful Web Services Using web.xml
We secure RESTful Web services using the web.xml deployment descriptor as we would for other Java EE Web applications.
To secure your RESTful Web service using basic authentication, perform the following steps:
- Define a
for each set of RESTful resources (URIs) that you plan to protect. - Use the
element to define the type of authentication you want to use and the security realm to which the security constraints will be applied. - Define one or more security roles using the
tag and map them to the security constraints defined in step 1. - To enable encryption, add the
element and set the subelement to CONFIDENTIAL
BASIC |
Securing RESTful Web Services Using SecurityContext
The javax.ws.rs.core.SecurityContext interface provides access to security-related information for a request. The SecurityContext provides functionality similar to javax.servlet.http.HttpServletRequest, enabling you to access the following security-related information:
- java.security.Principal object containing the name of the user making the request.
- Authentication type used to secure the resource, such as BASIC_AUTH, FORM_AUTH, and CLIENT_CERT_AUTH.
- Whether the authenticated user is included in a particular role.
- Whether the request was made using a secure channel, such as HTTPS.
You access the SecurityContext by injecting an instance into a class field, setter method, or method parameter using the javax.ws.rs.core.Context annotation.
package com.rest.helloworld; import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.core.Context; ... @Path("/stateless") @Stateless(name = "JaxRSStatelessEJB") public class MyApp { ... @GET @Produces("text/plain;charset=UTF-8") @Path("/hello") public String sayHello(@Context SecurityContext sc) { if (sc.isUserInRole("admin")) return "Hello World!"; throw new SecurityException("User is unauthorized."); } |
Securing RESTful Web Services Using Annotations
The javax.annotation.security package provides annotations, defined below, that you can use to secure your RESTful Web services.
Restful Annotations |
package com.rest.helloworld; import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.annotation.Security.RolesAllowed; @Path("/helloworld") @RolesAllowed({"ADMIN", "ORG1"}) public class helloWorld { @GET @Path("sayHello") @Produces("text/plain") @RolesAllows("ADMIN") public String sayHello() { return "Hello World!"; } } |