2 Replies Latest reply on Oct 10, 2013 1:50 PM by Scott Matthews

    Enable annotation security for RESTEasy WebService deployed on JBoss AS7.1

    987654321 Newbie

      Dear community,

       

      for 3 days I browse the web and the JEE 6 tutorial in order to find a solution, unfortunately without any success. "I have a working (web.xml based) container authentication and authorization. Due to the limitation of <url-pattern> I need to switch to javax.annotation.security annotations"  I already postet exactly the same question on stackoverflow.com: http://stackoverflow.com/questions/16725353/how-to-switch-from-web-xml-based-authorizaton-to-authorization-via-annotations-i But till now, no response. Maybe the question is poorly worded, or doesn't contain enough details. 

       

      First, I describe my setup which worked well for container managed authentication and authorization via web.xml

       

      • JAX-RS WebService

       

      • IDE Eclipse, JBoss Tools installed

       

      • Web-INF Folder contains:

      -) jboss-web.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss>
          <security-domain>java:/jaas/SgpRealm</security-domain>
      </jboss>
      

       

      -) web.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
          version="2.5">
          
          <display-name>JAX-RS_Store_Service</display-name>
          
          <session-config>
              <session-timeout>10</session-timeout>
           </session-config>
                    
             <security-constraint>
              <web-resource-collection>
                  <web-resource-name>SSL Secured WebService</web-resource-name>
                  <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
              </user-data-constraint>
          </security-constraint>
          
          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>Authenticated customers only</web-resource-name>
                  <url-pattern>/services/customers/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>CUST</role-name>
              </auth-constraint>
              <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
              </user-data-constraint>
          </security-constraint>
              
          <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>BookStore-Authentication-REALM</realm-name>
          </login-config>
      
          <security-role>
              <role-name>CUST</role-name>
          </security-role>
          
          <security-role>
              <role-name>ADMIN</role-name>
          </security-role>
      
          <welcome-file-list>
              <welcome-file>/index.xhtml</welcome-file>
          </welcome-file-list>
      
          <context-param>
              <param-name>javax.faces.PROJECT_STAGE</param-name>
              <param-value>Development</param-value>
          </context-param>
              
      </web-app>
      

       

       

      The question now is, what config modifications, additional config files etc. do I need so that I can use javax.annotation.security annotations

       

      I followed the RESTEasy Guide: http://docs.jboss.org/resteasy/2.0.0.GA/userguide/html_single/#Securing_JAX-RS_and_RESTeasyhttp:// but no success. The

       

         <context-param>
            <param-name>resteasy.role.based.security</param-name>
            <param-value>true</param-value>
         </context-param>

       

       

      just gives me an error: 0 [main] WARN client.DefaultRequestDirector  - Authentication error: Unable to respond to any of these challenges: {}

       

      and

       <servlet>
            <servlet-name>Resteasy</servlet-name>
            <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
         </servlet>
      
         <servlet-mapping>
            <servlet-name>Resteasy</servlet-name>
            <url-pattern>/*</url-pattern>
         </servlet-mapping>

       

      takes no effect.

       

      I followed some discussion, so that I tried to add ejb-jar.xml or jboss-ejb3.xml, but also no success.

       

      I also tried to remove all security constraints defined in web.xml and only declared

      @DeclareRoles({"CUST", "ADMIN", "NONE"})

      @SecurityDomain("SgpRealm")

      @RolesAllowed({"CUST"})

      annotations within the ressource classes. (Also no success)

       

      Actually there was no error, just all ressources like

      @RolesAllowed({"CUST"})
      @GET
      @Path("{id}")
      @Produces("application/xml")
      public Customer selectById(@PathParam("id") Integer identifier) { .. }
      

       

      could be accessed without any authentication!

       

      Please tell me what I'm doing wrong, and how to make annotation base security working for my JAX-RS service. Let me know, in case that you need further details (standalone.xml, etc)

       

      Thanks in advance

        • 1. Re: Enable annotation security for RESTEasy WebService deployed on JBoss AS7.1
          987654321 Newbie

          Ich bin davon ausgegangen, dass das hier ein englischsprachiges Forum ist, deshlab war meine Fragestellung in englisch formuliert. Aufgrund dessen, dass es noch keine Antworten gibt, gehe ich davon aus dass ich diese Diskussion am falschen Ort oder Kategorie erstellt habe. Wenn notwendig, dann bitte verschieben. Danke & Lg,

          • 2. Re: Enable annotation security for RESTEasy WebService deployed on JBoss AS7.1
            Scott Matthews Newbie

            I'm having similar problems around this area, though I am getting prompted by my Services to Authenticate.  I'm wondering if it is due to the fact that you have 2 Security-constraints set up. One at the root and one for /services/customers/*.  The one you have at the root, since it does not have an <auth-constraint> defined, essentially is saying ignore security for anything at /*.  This may be overriding the one you have for /services/customers/*.  Since you need at least one, try excluding the security-constraint you have for /*.  I bet it works as you want it to.

             

            Once you get past that I'll ask you if you're seeing the problem I am.