Hi guys:
I would like to have REST services under access control, that is in a typical scenario allow different group of users - under realm gatein-domain - to access different gadgets/services. Now while the gadgets permissions are easily set, for the services seems a bit more tricky due to dependency injection: the REST services injected apart the JCR ones seems to be public, that is you can access them without log-in in the system.
I see we have a security-constraint applied to /private/* in rest.war (role-name user), so I assume one way to go could be to have several uri-patterns with different roles assigned. One simple test I've made was to publish a 'hello' service under /private
@Path("private/hello")
public class HelloWS implements ResourceContainer {
...
<security-domain>java:/jaas/gatein-domain</security-domain>
It seems there is no problem with the ResourceBinder as in the log I have:
INFO [exo.ws.rest.core.ResourceBinder] Bind new resource /private/hello : class com.test.HelloWS
If I try to access by browser, this time I'm asked for User-ID and Password, but if I provide them, I'm given a 404 Error (Resource is not available).
If I publish instead the service as following, of course everything works just fine, but you can access the service freely:
@Path("hello")
public class HelloWorld implements ResourceContainer {
...
Any chance to have the security-constraint of services defined externally maybe in configuration.xml?
Any idea will be welcome.
Cheers.
Byte.
