Alexander J. Perez Tchernov schrieb:
Hello. Is it possible to ship an example how to operate with security
in JAX-RS for the following problem.
I want to specify that certain users may perform GET operation against
a certain resource, and only subset of them can perform PUT /POST
operation. The rest of resources don't need any authorization at all.
I want to implement this common task using JAX-RS.
I see that I need to create Guard to ask clients (via HTTP_DIGEST /
BASIC) to provide me trust username (principals)
// create a Guard
final Guard guard = new Guard(application.getContext(),
ChallengeScheme.HTTP_BASIC, JAX-RS example);
// set valid users and thier passwords.
guard.getSecrets().put(admin, adminPW.toCharArray());
I see that I need to create a RoleChecker that will perform the
certain validation if the certain user (principals) belongs to certain
role.
1) How can I specify that given operation against given resource is
permitted only for the following ROLE
@GET
@Path(...)
public Response get(@Context SecurityContext securityContext, ...)
{
if(!securityContext.isUserInRole(ROLE))
throw new WebApplicationException(403);
...
}
For the other resources you do not implement the role check.
2) How can I transfer the invocation context (resource uri) to
RoleChecker to let him, for example, check that given user is really
in AUTHOR ROLE of the resource
In the method you have to check, if the user is in a role, as in the
example above. You need a role where only the subset of users are in.
3) Does this schema (with Guard / RoleChecker) work even in standalone
mode, since it seems common to specify some of the parameters in
web.xml / specific.xml when deploy the application.
The Servlet security is not yet intergrated into the security system of
the Restlet JAX-RS extension, because I've had not enough time for it.
best regards
Stephan
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=1279338