Hi Duong, Thanks for the feedback.
Regarding your questions: 1) What do you mean by a "better integrated". Is anything wrong now? I've recently tried to run Wink with GAE and it worked fine. Except that GAE doesn't support JAXB and a lot of Wink's functionality based on it. What do you mean by "generic JSONP and Atom"? Wink supports JSON and Atom: For JSON support json.org, jettison and jackson libraries can be used. You'll need a latest snapshot to use these libraries. Wink has internal Atom support, which is based on JAXB, so it won't function on GAE. 2) Currently we don't have plans to add support of Guice. Would you like to contribute it? 3) Same here: Currently we don't have plans to add support of OAuth. But we'll be glad if it is contributed :-) Best regards, Michael. On Wed, Sep 30, 2009 at 5:09 PM, Duong BaTien <[email protected]>wrote: > Hi: > I look at Wink and will spend sometime to further explore. I wonder if > there is some plan: > 1) to make Wink server and client better integrated with GAE and GWT, > especially via generic JSONP and Atom > 2) to add Guice for DI > 3) to add security chain for OAuth authorized resources and role-based > Workspaces > > Waiting for Wink next version today or tomorrow to experiment with GAE. > > Duong BaTien > DBGROUPS and BudhNet > > On Wed, 2009-09-30 at 07:33 -0700, Stefan Witte wrote: > > Thanks Bryant. > > > > I've got it working now. I think that the problem was in the caching > > of the browser with trying out different user id's and not enough > > restarting of the websphere server. > > > > I now test it with the wink client using the "Authorization: Basic > > c3dpdHRlOnN0ZWZhbg==" header. I wrote a WebSphereAuthorisationHandler > > (ClientHandler) for this. > > For optimalisation i probably have to create one that uses the > > returned LtpaToken cookie for additional requests. > > > > Thanks. > > > > > > > > ______________________________________________________________________ > > From: Bryant Luk <[email protected]> > > To: [email protected] > > Sent: Tuesday, September 29, 2009 5:01:01 AM > > Subject: Re: > > > > Hi Stefan, > > > > Thanks for the feedback. We'll try adding a chapter specifically > > about security to the guide soon. > > > > For your immediate issue, I made a simple application application to > > test out the security using the pattern you suggested. I had a > > resource like: > > > > @Path("/resource") > > public class Resource { > > @Context > > javax.ws.rs.core.SecurityContext securityInfo; > > > > @GET > > @Produces(MediaType.TEXT_PLAIN) > > public String getSomething() { > > return "Hello GET: " + security.getUserPrincipal(); > > } > > > > @POST > > @Produces(MediaType.TEXT_PLAIN) > > public String postSomething() { > > return "Hello POST: " + security.getUserPrincipal(); > > } > > > > @GET > > @Path("/{subresource}") > > @Produces(MediaType.TEXT_PLAIN) > > public String getGreetingSub() { > > return "Hello GET subresource: " + security.getUserPrincipal(); > > } > > } > > > > My web.xml: > > > > <servlet> > > <servlet-name>HelloWorldApp</servlet-name> > > <servlet- > > class>org.apache.wink.server.internal.servlet.RestServlet</servlet- > > class> > > <init-param> > > <param-name>javax.ws.rs.Application</param-name> > > <param- > > value>org.apache.wink.example.helloworld.HelloWorldApplication</param- > > value> > > </init-param> > > <load-on-startup>1</load-on-startup> > > </servlet> > > <servlet-mapping> > > <servlet-name>HelloWorldApp</servlet-name> > > <url-pattern>/*</url-pattern> > > </servlet-mapping> > > <security-role> > > <role-name>adminRole</role-name> > > </security-role> > > <security-role> > > <role-name>readerRole</role-name> > > </security-role> > > <security-constraint> > > <web-resource-collection> > > <web-resource-name> > > SecuredAdmin > > </web-resource-name> > > <url-pattern>/resource</url-pattern> > > <http-method>GET</http-method> > > <http-method>POST</http-method> > > </web-resource-collection> > > <auth-constraint> > > <role-name>adminRole</role-name> > > </auth-constraint> > > </security-constraint> > > <security-constraint> > > <web-resource-collection> > > <web-resource-name> > > SecuredSubresource > > </web-resource-name> > > <url-pattern>/resource/*</url-pattern> > > <http-method>GET</http-method> > > </web-resource-collection> > > <auth-constraint> > > <role-name>readerRole</role-name> > > </auth-constraint> > > </security-constraint> > > <login-config> > > <auth-method>BASIC</auth-method> > > </login-config> > > > > When I loaded up the root resource at /resource in my browser, I could > > only use a user mapped to my adminRole. When I visited > > /resource/abcd, I could only visit the resource using a user mapped to > > my readerRole. Did you try a pattern like the above? > > > > One note on the above pattern is that it restricts GETs to /resource > > to only the adminRole users. Generally /resource collection like URLs > > (if it is indeed a collection) are readable by the same users as those > > that can read /resource/<anything underneath>, so you may want to drop > > the <http-method>GET</http-method> and just leave the > > <http-method>POST</http-method> in the first security constraint. > > > > Also, I'm not sure if you're aware but you can try using the @Context > > javax.ws.rs.core.SecurityContext injected object (which can be put in > > a method's parameter list or as a root resource's field variable for > > instance) if you need a programmatic way of handling security. > > > > I used the free WebSphere Application Server 7.0 developer's version > > at ( http://www.ibm.com/developerworks/websphere/downloads/ ). You > > probably already know this but I would also try restarting the > > application via the admin console or wsadmin after you've made changes > > to the application specific security configuration. If you make > > changes to the global security config (such as changing user > > registries or enabling application security), you should try > > restarting the application server. > > > > Let us know if that helped. > > > > On Mon, Sep 28, 2009 at 8:45 AM, Stefan Witte <[email protected]> > > wrote: > > > Can someone provide some samples, guidelines or patterns how the > > (JEE) > > > secure different resource in a apache wink implementation. > > > > > > if the wink servlet is configured in the web.xml like: > > > > > > <servlet> > > > <servlet-name>WinkServlet</servlet-name> > > > > > > <servlet- > > class>org.apache.wink.server.internal.servlet.RestServlet</servlet- > > class> > > > <init-param> > > > <param-name>applicationConfigLocation</param-name> > > > <param-value>/WEB-INF/application</param-value> > > > </init-param> > > > </servlet> > > > > > > <servlet-mapping> > > > <servlet-name>WinkServlet</servlet-name> > > > <url-pattern>/*</url-pattern> > > > </servlet-mapping> > > > > > > is /* then the only url-pattern where a role can be assigned to? > > > or do i have to have multiple servlet mappings (tried that but > > didn't work) > > > or do i have to register multiple instance of the wink servlet with > > > different url patterns? > > > > > > > > > I tried using different security constraints on different url- > > patterns but > > > none works as i want (see example) > > > > > > (running on WebSphere 7.0.0.3, servlet 2.5) > > > > > > I for example need to configure authorisation for the following > > nested > > > resource(s): > > > > > > roles: admin, reader > > > > > > /resource (role: admin) > > > /resource/<anything> (role: reader) (e.g. /resource/reservation > > > > > > > > > A chapter in the User or Developer guide about JEE security on REST > > > resources (using apache wink) would be really usefull. > > > > > > Thanks. > > > > > > > > > > > > > > -- > > > > - Bryant Luk > > > > > >
