tags:

views:

277

answers:

2

Hi,

Can some one provide me some pointers about access control in JAX-Rs web services. e.g. limiting access on the basis of user credentials, or name or any other criteria. Could not find any useful information in the sun manuals.

Thanks in advance, Adhir

A: 

There are many ways that people have accomplished this and there are a number of great threads on the topic on this site (see Best Practices for securing a REST API / web service)

I personally use OAuth to accomplish this task. For more information on OAuth check out Beginner’s Guide to OAuth

raiglstorfer
A: 

I personally use Spring security to accomplish this. Spring security allows for easy use of various authentication and authorizations schemes (E.g. by checking the basic/digest headers from the HTTP request against a database or LDAP server). It's not to hard to set up with JAX-RS and also has a nifty aspect based rights system where you can do stuff like

@PreAuthorize("hasRole('ROLE_ADMIN') or order.customer.username == user.username) deleteOrder(Order order);

which ensures that a authenticated user must either be in the ROLE_ADMIN group or be the owner of the order to be allowed to delete it.

When this is configured all you have to do in your JAX-RS resource is to handle the Security exception from spring and take the appropriate action (fx. by throwing a WebApplicationException as described here)

Lars Tackmann