https://jersey.java.net/documentation/latest/security.html
About RESTful Web Service Security
You can secure your RESTful web services using one of the following methods to support authentication, authorization, or encryption:
- Attaching Oracle Web Services Manager (OWSM) policies. See Securing RESTful Web Services and Clients Using OWSM Policies.Note: This section applies to RESTful web services and clients that are built using Jersey 1.x JAX-RS RI only. RESTful web services and clients that are built using Jersey 2.5.1 (JAX-RS 2.0 RI) cannot be secured using OWSM policies in this release.
- Updating the
web.xml
deployment descriptor to access information about the authenticated users. See Securing RESTful Web Services Using web.xml. - Using the
javax.ws.rs.core.SecurityContext
interface to access security-related information for a request. See Securing RESTful Web Services Using SecurityContext. - Applying annotations to your JAX-RS classes. See Securing RESTful Web Services Using Java Security Annotations.
For information about developing RESTful web service clients using Oracle JDeveloper, see "How to Attach Policies to RESTful Web Services and Clients" in Developing Applications with Oracle JDeveloper.
Securing RESTful Web Services and Clients Using OWSM Policies
Note:
You can attach OWSM policies to RESTful web services and clients that are built using Jersey 1.x JAX-RS RI only. RESTful web services and clients that are built using Jersey 2.5.1 (JAX-RS 2.0 RI) cannot be secured using OWSM policies in this release.
Only a subset of OWSM security policies are supported for RESTful web services, as described in "Which OWSM Policies Are Supported for RESTful Web Services" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
You can attach OWSM security policies to RESTful web services using one of the following methods:
- Programmatically, at design time, as described in "Attaching Policies to RESTful Web Services and Clients at Design Time" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
- Post-deployment, both directly and globally, using:
- Fusion Middleware Control, as described in "Attaching Policies Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
- WLST, as described in "Attaching Policies Using WLST" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Example 6-1 provides an example of using WLST to attach the
oracle/http_basic_auth_over_ssl_service_policy
policy to a RESTful service. For more information, see "Attaching Policies Directly Using WLST" in Securing Web Services and Managing Policies with Oracle Web Services Manager.C:\Oracle\Middleware\oracle_common\common\bin> wlst.cmd ... wls:/offline> connect("weblogic","password","t3://myAdminServer.example.com:7001") Connecting to t3://myAdminServer.example.com:7001" with userid weblogic ... Successfully connected to Admin Server "AdminServer" that belongs to domain "my_domain". Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. wls:/my_domain/serverConfig> beginWSMSession() Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help('domainRuntime') Session started for modification. wls:/my_domain/serverConfig> selectWSMPolicySubject('weblogic/my_domain/jaxrs_pack', '#jaxrs_pack.war', 'REST-Resource(Jersey)') The policy subject is selected for modification. wls:/my_domain/serverConfig> attachWSMPolicy('oracle/http_basic_auth_over_ssl_service_policy') Policy reference "oracle/http_basic_auth_over_ssl_service_policy" added. wls:/my_domain/serverConfig> commitWSMSession() The policy set for subject "/weblogic/my_domain/jaxrs_pack|#jaxrs_pack.war|REST-Resource(Jersey)" was saved successfully.
Securing RESTful Web Services Using web.xml
You secure RESTful web services using the
web.xml
deployment descriptor as you would for other Java EE Web applications. For complete details, see:- "Developing Secure Web Applications" in Developing Applications with the WebLogic Security Service.
- "Securing Web Applications" in The Java EE 6 Tutorial
For example, to secure your RESTful web service using basic authentication, perform the following steps:
- Define a
<security-constraint>
for each set of RESTful resources (URIs) that you plan to protect. - Use the
<login-config>
element to define the type of authentication you want to use and the security realm to which the security constraints will be applied. - Define one or more security roles using the
<security-role>
tag and map them to the security constraints defined in step 1. For more information, see "security-role" in Developing Applications with the WebLogic Security Service. - To enable encryption, add the
<user-data-constraint>
element and set the<transport-guarantee>
subelement toCONFIDENTIAL
. For more information, see "user-data-constraint" in Developing Applications with the WebLogic Security Service.
The following shows an example of how to secure a Jersey 1.18 (JAX-RS 1.1) RESTful web service using basic authentication. To secure a Jersey 2.5.1 (JAX-RS 2.0) RESTful web service, replace the
<servlet-class>
element, as follows:org.glassfish.jersey.servlet.ServletContainer
.
Note:
Support for the com.sun.jersey
package, its nested packages, and the weblogic.jaxrs.api.client
package, is deprecated in this release of WebLogic Server. It is recommended that you update your RESTful applications to use the Jersey 2.5.1 (JAX-RS 2.0 RI) APIs at your earliest convenience.<web-app> <servlet> <servlet-name>RestServlet</servlet-name> <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class> </servlet> <servlet-mapping> <servlet-name>RestServlet</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>Orders</web-resource-name> <url-pattern>/orders</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>default</realm-name> </login-config> <security-role> <role-name>admin</role-name> </security-role> </web-app>
Securing RESTful Web Services Using SecurityContext
The
javax.ws.rs.core.SecurityContext
interface provides access to security-related information for a request. The SecurityContext
provides functionality similar to javax.servlet.http.HttpServletRequest
, enabling you to access the following security-related information:java.security.Principal
object containing the name of the user making the request.- Authentication type used to secure the resource, such as
BASIC_AUTH, FORM_AUTH
, andCLIENT_CERT_AUTH
. - Whether the authenticated user is included in a particular role.
- Whether the request was made using a secure channel, such as HTTPS.
You access the
SecurityContext
by injecting an instance into a class field, setter method, or method parameter using thejavax.ws.rs.core.Context
annotation.
For more information, see the following in the Java EE 6 Platform API Specification:
SecurityContext
interface@Context
annotation
Example 6-3 shows how to inject an instance of
SecurityContext
into the sc
method parameter using the @Context
annotation, and check whether the authorized user is included in the admin
role before returning the response.package samples.helloworld; import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.core.Context; ... @Path("/stateless") @Stateless(name = "JaxRSStatelessEJB") public class StlsEJBApp { ... @GET @Produces("text/plain;charset=UTF-8") @Path("/hello") public String sayHello(@Context SecurityContext sc) { if (sc.isUserInRole("admin")) return "Hello World!"; throw new SecurityException("User is unauthorized."); }
Securing RESTful Web Services Using Java Security Annotations
The
javax.annotation.security
package provides annotations, defined in Table 6-1, that you can use to secure your RESTful web services.Annotation | Description |
---|---|
@DenyAll |
Specifies that no security roles are allowed to invoke the specified methods.
|
@PermitAll |
Specifies that all security roles are allowed to invoke the specified methods.
|
@RolesAllowed |
Specifies the list of security roles that are allowed to invoke the methods in the application.
|
Before you can use the annotations defined in Table 6-1, you must register the roles-allowed feature, as described in the following sections:
- Jersey 1.18 (JAX-RS 1.1 RI):
com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory
class in the jersey-bundle 1.18 API Javadoc.Note:Support for thecom.sun.jersey
package, its nested packages, and theweblogic.jaxrs.api.client
package, is deprecated in this release of WebLogic Server. It is recommended that you update your RESTful applications to use the Jersey 2.5.1 (JAX-RS 2.0 RI) APIs at your earliest convenience. - Jersey 2.5.1 (JAX-RS 2.0 RI): "Securing JAX-RS resources with standard javax.annotation.security annotations" in Jersey 2.5.1 User Guide
Example 6-4 shows how to define the security roles that are allowed, by default, to access the methods defined in the
helloWorld
class. ThesayHello
method is annotated with the @RolesAllows
annotation to override the default and only allow users that belong to the ADMIN
security role.package samples.helloworld; import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.annotation.Security.RolesAllowed; @Path("/helloworld") @RolesAllowed({"ADMIN", "ORG1"}) public class helloWorld { @GET @Path("sayHello") @Produces("text/plain") @RolesAllows("ADMIN") public String sayHello() { return "Hello World!"; } }
For more information, see:
- "Specifying Authorized Users by Declaring Security Roles" in The Java EE Tutorial.
No comments:
Post a Comment