Enable annotation security for RESTEasy WebService deployed on JBoss AS7.1
987654321 May 26, 2013 3:21 PMDear community,
for 3 days I browse the web and the JEE 6 tutorial in order to find a solution, unfortunately without any success. "I have a working (web.xml based) container authentication and authorization. Due to the limitation of <url-pattern>
I need to switch to javax.annotation.security
annotations" I already postet exactly the same question on stackoverflow.com: http://stackoverflow.com/questions/16725353/how-to-switch-from-web-xml-based-authorizaton-to-authorization-via-annotations-i But till now, no response. Maybe the question is poorly worded, or doesn't contain enough details.
First, I describe my setup which worked well for container managed authentication and authorization via web.xml
- JAX-RS WebService
- IDE Eclipse, JBoss Tools installed
- Web-INF Folder contains:
-) jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?> <jboss> <security-domain>java:/jaas/SgpRealm</security-domain> </jboss>
-) web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <display-name>JAX-RS_Store_Service</display-name> <session-config> <session-timeout>10</session-timeout> </session-config> <security-constraint> <web-resource-collection> <web-resource-name>SSL Secured WebService</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Authenticated customers only</web-resource-name> <url-pattern>/services/customers/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>CUST</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>BookStore-Authentication-REALM</realm-name> </login-config> <security-role> <role-name>CUST</role-name> </security-role> <security-role> <role-name>ADMIN</role-name> </security-role> <welcome-file-list> <welcome-file>/index.xhtml</welcome-file> </welcome-file-list> <context-param> <param-name>javax.faces.PROJECT_STAGE</param-name> <param-value>Development</param-value> </context-param> </web-app>
The question now is, what config modifications, additional config files etc. do I need so that I can use javax.annotation.security
annotations
I followed the RESTEasy Guide: http://docs.jboss.org/resteasy/2.0.0.GA/userguide/html_single/#Securing_JAX-RS_and_RESTeasyhttp:// but no success. The
<context-param> <param-name>resteasy.role.based.security</param-name> <param-value>true</param-value> </context-param>
just gives me an error: 0 [main] WARN client.DefaultRequestDirector - Authentication error: Unable to respond to any of these challenges: {}
and
<servlet> <servlet-name>Resteasy</servlet-name> <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class> </servlet> <servlet-mapping> <servlet-name>Resteasy</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping>
takes no effect.
I followed some discussion, so that I tried to add ejb-jar.xml or jboss-ejb3.xml, but also no success.
I also tried to remove all security constraints defined in web.xml and only declared
@DeclareRoles({"CUST", "ADMIN", "NONE"})
@SecurityDomain("SgpRealm")
@RolesAllowed({"CUST"})
annotations within the ressource classes. (Also no success)
Actually there was no error, just all ressources like
@RolesAllowed({"CUST"}) @GET @Path("{id}") @Produces("application/xml") public Customer selectById(@PathParam("id") Integer identifier) { .. }
could be accessed without any authentication!
Please tell me what I'm doing wrong, and how to make annotation base security working for my JAX-RS service. Let me know, in case that you need further details (standalone.xml, etc)
Thanks in advance