tags:

views:

1131

answers:

3
+1  Q: 

User authentication on a Jersey REST service

I am currently developing a REST application, which is using the Jersey framework. I would like to know a way that I can control user authentication. I have search a lot of places, and the closest article I have found is this: http://weblogs.java.net/blog/2008/03/07/authentication-jersey.

However this article can only be used whith a GlassFish server and a attached database. Is there anyway that I can implement an interface in Jersey and use it as a filter before reaching the requested REST resource?

I want to use basic authentication right now, but it should be flexible enough such that I can change that at a later time.

Thanks in Advance Stefan.

A: 
 2010-05-25 08:45:39
+1  A: 

I'm working on something similar to this. In my implementation, we have Apache httpd front-ended to handle HTTP Basic authentication and it simply forwards all requests with some header information containing the user and roles.

From that, I'm working on parsing these pieces out using a servlet filter to wrap the HttpServletRequest using a post I found on CodeRanch. This allows me to use the javax.annotation.security annotations like @RolesAllowed on each resource I want to filter. To get all of these pieces working, however, I had to add the following to my servlet in the web.xml:

<servlet>
  <!-- some other settings and such 
  ... -->
  <init-param>
    <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
    <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
  </init-param>
  ...
</servlet>

You might find that Eric Warriner's answer on a recent post of interest: http://stackoverflow.com/questions/2291323/jersey-spring-tomcat-and-security-annotations

Nick Klauer  2010-05-27 03:28:08
A: 

Sure, you can use a traditional servlet filter for this.

Add the filter to your web.xml, check for whatever authentication headers you're using (Basic or Digest), perform your authentication logic based on those values, and store the result in a session attribute. In your Jersey resource (ctor probably), extract the auth result from the session attribute and continue processing or not based on whether this is the result you require.

Your Jersey resource ctor would probably look like this:

protected AbstractResource(@Context ServletContext servletContext, @Context HttpServletRequest httpServletRequest) {...

HttpSession session = httpServletRequest.getSession(); // get whatever you put in the session in the auth filter here and compare }

ae6rt  2010-09-11 02:23:07

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java