1 Reply Latest reply on Jan 3, 2011 12:25 PM by Soren Schmidt

    REST service security-constraint

    genia Newbie

      Hi guys:


      I would like to have REST services under access control, that is in a typical scenario allow different group of users - under realm gatein-domain - to access different gadgets/services. Now while the gadgets permissions are easily set, for the services seems a bit more tricky due to dependency injection: the REST services injected apart the JCR ones seems to be public, that is you can access them without log-in in the system.

      I see we have a security-constraint applied to /private/* in rest.war (role-name user), so I assume one way to go could be to have several uri-patterns with different roles assigned. One simple test I've made was to publish a 'hello' service under /private




      public class HelloWS implements ResourceContainer {



      It seems there is no problem with the ResourceBinder as in the log I have:

      INFO  [exo.ws.rest.core.ResourceBinder] Bind new resource /private/hello : class com.test.HelloWS


      If I try to access by browser, this time I'm asked for User-ID and Password, but if I provide them, I'm given a 404 Error (Resource is not available).

      If I publish instead the service as following, of course everything works just fine, but you can access the service freely:



      public class HelloWorld implements ResourceContainer {




      Any chance to have the security-constraint of services defined externally maybe in configuration.xml?

      Any idea will be welcome.