You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Unknown macro: {span}

JAX-RS: Security

HTTPS

Authentication

It is often containers like Tomcat or frameworks like Spring Security which handle user authentication. Sometimes you might want to do the custom authentication instead. The easiest way to do this is to register a custom invoker or RequestHandler filter which will extract a user name and password like this:

public class AuthenticationHandler implements RequestHandler {

    public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
        AuthorizationPolicy policy = (AuthorizationPolicy)m.get(AuthorizationPolicy.class);
        policy.getUserName();
        policy.getPassword(); 
        return null;
    }

}

A demo called samples\jax_rs\spring_security shows how to provide the authentication and authorization with the help of Spring Security.

Please see the [Security] section on how CXF Security interceptors can help. Check this blog entry for more information on how CXF JAX-RS wraps the CXF security interceptors with helper filters.

Authorization

SecurityManager and IllegalAccessExceptions

If java.lang.SecurityManager is installed then you'll likely need to configure the trusted JAX-RS codebase with a 'suppressAccessChecks' permission for the injection of JAXRS context or parameter fields to succeed. For example, you may want to update a Tomcat catalina.policy with the following permission :

grant codeBase "file:${catalina.home}/webapps/yourwebapp/lib/cxf.jar" {
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
  • No labels