2 Replies Latest reply on Oct 10, 2013 1:50 PM by smatthews

Enable annotation security for RESTEasy WebService deployed on JBoss AS7.1

987654321 May 26, 2013 3:21 PM

Dear community,

for 3 days I browse the web and the JEE 6 tutorial in order to find a solution, unfortunately without any success. "I have a working (web.xml based) container authentication and authorization. Due to the limitation of <url-pattern> I need to switch to javax.annotation.security annotations" I already postet exactly the same question on stackoverflow.com: http://stackoverflow.com/questions/16725353/how-to-switch-from-web-xml-based-authorizaton-to-authorization-via-annotations-i But till now, no response. Maybe the question is poorly worded, or doesn't contain enough details.

First, I describe my setup which worked well for container managed authentication and authorization via web.xml

JAX-RS WebService

IDE Eclipse, JBoss Tools installed

Web-INF Folder contains:

-) jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss>
    <security-domain>java:/jaas/SgpRealm</security-domain>
</jboss>

-) web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    version="2.5">
    
    <display-name>JAX-RS_Store_Service</display-name>
    
    <session-config>
        <session-timeout>10</session-timeout>
     </session-config>
              
       <security-constraint>
        <web-resource-collection>
            <web-resource-name>SSL Secured WebService</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
        </user-data-constraint>
    </security-constraint>
    
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Authenticated customers only</web-resource-name>
            <url-pattern>/services/customers/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>CUST</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
        </user-data-constraint>
    </security-constraint>
        
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>BookStore-Authentication-REALM</realm-name>
    </login-config>

    <security-role>
        <role-name>CUST</role-name>
    </security-role>
    
    <security-role>
        <role-name>ADMIN</role-name>
    </security-role>

    <welcome-file-list>
        <welcome-file>/index.xhtml</welcome-file>
    </welcome-file-list>

    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
        
</web-app>

The question now is, what config modifications, additional config files etc. do I need so that I can use javax.annotation.security annotations

I followed the RESTEasy Guide: http://docs.jboss.org/resteasy/2.0.0.GA/userguide/html_single/#Securing_JAX-RS_and_RESTeasyhttp:// but no success. The

   <context-param>
      <param-name>resteasy.role.based.security</param-name>
      <param-value>true</param-value>
   </context-param>

just gives me an error: 0 [main] WARN client.DefaultRequestDirector - Authentication error: Unable to respond to any of these challenges: {}

and

 <servlet>
      <servlet-name>Resteasy</servlet-name>
      <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
   </servlet>

   <servlet-mapping>
      <servlet-name>Resteasy</servlet-name>
      <url-pattern>/*</url-pattern>
   </servlet-mapping>

takes no effect.

I followed some discussion, so that I tried to add ejb-jar.xml or jboss-ejb3.xml, but also no success.

I also tried to remove all security constraints defined in web.xml and only declared

@DeclareRoles({"CUST", "ADMIN", "NONE"})

@SecurityDomain("SgpRealm")

@RolesAllowed({"CUST"})

annotations within the ressource classes. (Also no success)

Actually there was no error, just all ressources like

@RolesAllowed({"CUST"})
@GET
@Path("{id}")
@Produces("application/xml")
public Customer selectById(@PathParam("id") Integer identifier) { .. }

could be accessed without any authentication!

Please tell me what I'm doing wrong, and how to make annotation base security working for my JAX-RS service. Let me know, in case that you need further details (standalone.xml, etc)

Thanks in advance

1. Re: Enable annotation security for RESTEasy WebService deployed on JBoss AS7.1

987654321 May 29, 2013 10:29 AM (in response to 987654321)

Ich bin davon ausgegangen, dass das hier ein englischsprachiges Forum ist, deshlab war meine Fragestellung in englisch formuliert. Aufgrund dessen, dass es noch keine Antworten gibt, gehe ich davon aus dass ich diese Diskussion am falschen Ort oder Kategorie erstellt habe. Wenn notwendig, dann bitte verschieben. Danke & Lg,
Actions
2. Re: Enable annotation security for RESTEasy WebService deployed on JBoss AS7.1

smatthews Oct 10, 2013 1:50 PM (in response to 987654321)

I'm having similar problems around this area, though I am getting prompted by my Services to Authenticate. I'm wondering if it is due to the fact that you have 2 Security-constraints set up. One at the root and one for /services/customers/*. The one you have at the root, since it does not have an <auth-constraint> defined, essentially is saying ignore security for anything at /*. This may be overriding the one you have for /services/customers/*. Since you need at least one, try excluding the security-constraint you have for /*. I bet it works as you want it to.

Once you get past that I'll ask you if you're seeing the problem I am.
Actions

Go to original post