Documente Academic
Documente Profesional
Documente Cultură
1. Configuration Approach:
|-Configuring the Realms and Roles
|-Guidance to configure Security
|-Access the application with Security
|-Enforcing Encryption
@Path("/stock")
class StockResource {
@GET
@Produces(MediaType.TEXT_PLAIN)
@Path("/price/{stockName}")
public float getStockPrice(@PathParam("stockName") String stockName) {
return 232.5f;
}
}
What roles do you want this user to belong to? (Please enter a comma separated list,
or leave blank for none) : ADMIN (Enter)
Note:
Here if we enter ADMIN then we need to configure in web.xml also as "ADMIN" but
not as "admin" bcz roles are case sensitive.
Step: 3
About to add user 'jhon' for realm 'ApplicationRealm'
Is this correct yes/no? yes (type yes then press enter)
So this finishes the user "john" creation as "admin" role.
Unless we have Authentication we will not enable the Authorization, Hence 1st we
need to enable the Authentication then Authorization.
Guidance to configure Security:
1. Configure the JAX-RS Runtime
2. Configure the type of Authentication Mechanism
3. Configure all of the security roles in the REST Application
4. Enable Role based mechanism of the users/groups in the roles
5. Restrict resources based on a given URL pattern, and Name the security roles that
are allowed access to the resources
web.xml
<web-app>
<!-- Step: 4 Enable Role Based Security which is vendor specific plugin-->
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<servlet-mapping>
<servlet-name>resteasy</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
For example:
/*
/stock/*
*.txt
The wildcard pattern can only be used at the end of a URL pattern or to match file
extensions. When used at the end of a URL pattern, the wildcard matches every
character in the incoming URL. For example, /foo/* would match any URL that starts
with /foo. To match file extensions, we need to use the format *.<suffix>. For
example, the *.txt pattern matches any URL that ends with .txt. No other uses of the
wildcard character are permitted in URL patterns.
For example, here are some illegal expressions:
/stock/*/price
/stock/*.txt
Close the internet explorer then again open the internet explorer
Case: 2
http://localhost:8082/1.1StockResourceSecurityUsingConfigApproachRESTEasy/rest
/stock/price/dell
Give Authentication details as
usernae=robin
password=welcome
So that we can access the application bcz robin is TRADER he can access the
StockResource bcz we configured in web.xml as TRADER can access this Resource
Response:
Status: 200: OK
232.5
Close the internet explorer then again open the internet explorer
Case: 3
http://localhost:8082/1.1StockResourceSecurityUsingConfigApproachRESTEasy/rest/
stock/price/dell
Give Authentication details as
username= david
password=welcome
Web.xml
<web-app>
...
<security-constraint>
<web-resource-collection>
....
</web-resource-collection>
<auth-constraint>
....
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
Transport Description
NONE No encryption is required (http is fine)
CONFIDENTIAL The data must be encrypted, so that other parties cannot observe
the contents (e.g. enforce SSL)
INTEGRAL The data must be transported so that the data cannot be changed in
transit. Most servers use SSL for this value too, although in theory
you could use some hashing algorithm, as encryption is not required