1 Reply Latest reply on Jan 3, 2011 12:25 PM by Soren Schmidt

    REST service security-constraint

    genia Newbie

      Hi guys:

       

      I would like to have REST services under access control, that is in a typical scenario allow different group of users - under realm gatein-domain - to access different gadgets/services. Now while the gadgets permissions are easily set, for the services seems a bit more tricky due to dependency injection: the REST services injected apart the JCR ones seems to be public, that is you can access them without log-in in the system.

      I see we have a security-constraint applied to /private/* in rest.war (role-name user), so I assume one way to go could be to have several uri-patterns with different roles assigned. One simple test I've made was to publish a 'hello' service under /private

       

       

      @Path("private/hello")

      public class HelloWS implements ResourceContainer {

      ...

       


      <security-domain>java:/jaas/gatein-domain</security-domain>
      It seems there is no problem with the ResourceBinder as in the log I have:

      INFO  [exo.ws.rest.core.ResourceBinder] Bind new resource /private/hello : class com.test.HelloWS

       

      If I try to access by browser, this time I'm asked for User-ID and Password, but if I provide them, I'm given a 404 Error (Resource is not available).

      If I publish instead the service as following, of course everything works just fine, but you can access the service freely:

       

      @Path("hello")

      public class HelloWorld implements ResourceContainer {

      ...

       

       

      Any chance to have the security-constraint of services defined externally maybe in configuration.xml?

      Any idea will be welcome.

       

      Cheers.

       

      Byte.