Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>
Idioma: En

Securing RESTful Web Services

Securing Restful Web Services

This post describes how to secure Web services that conform to the Representational State Transfer (REST) architectural style using Java API for RESTful Web Services (JAX-RS).

We can secure the RESTful Web services using one of the following methods
  • Updating the web.xml deployment descriptor to define security configuration.
  • Using the javax.ws.rs.core.SecurityContext  interface to implement security programmatically.
  • Applying annotations to your JAX-RS classes. 

Securing RESTful Web Services Using web.xml

We secure RESTful Web services using the web.xml deployment descriptor as we would for other Java EE Web applications.
To secure your RESTful Web service using basic authentication, perform the following steps:
  1. Define a  for each set of RESTful resources (URIs) that you plan to protect.
  2. Use the  element to define the type of authentication you want to use and the security realm to which the security constraints will be applied. 
  3. Define one or more security roles using the  tag and map them to the security constraints defined in step 1. 
  4. To enable encryption, add the  element and set the  subelement to CONFIDENTIAL 

   
        RestfulServlet
        com.sun.jersey.spi.container.servlet.ServletContainer
   
   
        RestfulServlet
        /*
   
   
        
             Employees
             /employees
             GET
             POST
        
        
             admin
        
   
       
            BASIC
            default
       
   
        admin
   

Securing RESTful Web Services Using SecurityContext

The javax.ws.rs.core.SecurityContext  interface provides access to security-related information for a request. The SecurityContext provides functionality similar to javax.servlet.http.HttpServletRequest, enabling you to access the following security-related  information:
  1. java.security.Principal object containing the name of the user making the request.
  2. Authentication type used to secure the resource, such as BASIC_AUTH, FORM_AUTH, and CLIENT_CERT_AUTH.
  3. Whether the authenticated user is included in a particular role.
  4. Whether the request was made using a secure channel, such as HTTPS.

You access the SecurityContext  by injecting an instance into a class field, setter method, or method parameter using the javax.ws.rs.core.Context annotation.
package com.rest.helloworld;

import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.Context;

...

@Path("/stateless")
@Stateless(name = "JaxRSStatelessEJB")
public class MyApp {
...
        @GET
        @Produces("text/plain;charset=UTF-8")
        @Path("/hello")
        public String sayHello(@Context SecurityContext sc) {
                if (sc.isUserInRole("admin"))  return "Hello World!";
                throw new SecurityException("User is unauthorized.");
        }

Securing RESTful Web Services Using Annotations

The javax.annotation.security  package provides annotations, defined below, that you can use to secure your RESTful Web services.
Restful Annotations
package com.rest.helloworld;

import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.annotation.Security.RolesAllowed;


@Path("/helloworld")
@RolesAllowed({"ADMIN", "ORG1"})
public class helloWorld {

   @GET
   @Path("sayHello") 
   @Produces("text/plain")
   @RolesAllows("ADMIN")
   public String sayHello() {
      return "Hello World!";
   }
}

Related Articles



This post first appeared on Jasdhir's, please read the originial post: here

Share the post

Securing RESTful Web Services

×

Subscribe to Jasdhir's

Get updates delivered right to your inbox!

Thank you for your subscription

×