1 Reply Latest reply on Jul 29, 2016 9:29 AM by jaikiran pai

    How to secure JAX-RS restful services in wild fly 9 with JAAS? Please don't ignore

    Haris laghari Newbie

      I am still a novice at JBoss. For starters i have created a Resfult services servlet with rest easy JAX-RS and all of the services are working perfectly fine. Now the issue is that all of my services are exposed to every one so want to add security to my servlet so that only the authenticated users can only access the service.

      A user must call the login restful service providing email and password in json format which my login service will extract from json and then it will be verified form the data base and then a session of that user will be created if that user exist and that user will be able to access the services.

      So far i have seen many implementations and tried a few but all of them seems to be not pointing to correct way. But from what ever knowledge i have at this point the only thing that came to my mind is JAAS authentication.

      So far what i have done or followed is:

       

      • a security domain say mydomain defined in the standalone XML
      • all the JBoss modules required by the JAAS module for the mydomain security domain to be defined.
      • the mydomain defined as the security domain the jboss-web.xml.

       

      Here is my security domain in Standalone.xml file:

       

         <security-domain name="jboss-security-api" cache-type="default">

                          <authentication>

                              <login-module code="Database" flag="required">

                                  <module-option name="dsJndiName" value="java:/jdbc/haris/MyDS"/>

                                  <module-option name="principalsQuery" value="select firstName from employee where firstName=? AND password=?"/>

                                  <module-option name="rolesQuery" value="select role,'Roles' from user_roles where firstName=?"/>

                                 <module-option name="hashAlgorithm" value="SHA-256"/>

                                  <module-option name="hashEncoding" value="Base64"/>

                                    <module-option name="unauthenticatedIdentity" value="guest"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

      My jboss-web.xml file:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

          <security-domain>jboss-security-api</security-domain>

      </jboss-web> 

       

       

      And this is the restful servlet where the login method is defined

       

      @DeclareRoles("ADMIN")

      public class HelloWorldService {

       

        @EJB

        private MyEjbRemote m1;

        //Setting required persistence context unit name

        @POST

        @Path("/login")

        @Consumes("application/json")

        public Response login(@Context HttpServletRequest req, Employee user) {

           if (req.getUserPrincipal() == null) {

            System.out.println(user.getFirstName()+" "+user.getPassword());

               try {

                req.getSession(true); // Creates a new HTTP Session BEFORE the login.

                   req.login(user.getFirstName(), user.getPassword());

               } catch (ServletException e) {

                e.printStackTrace();

                Logger.getLogger(HelloWorldService.class.getName()).log(Level.TRACE, null, e);

                   return Response.status(Response.Status.BAD_REQUEST).type("text/plain").entity("Login or Password is incorrect").build();

               }

           } else {

               return Response.status(Response.Status.OK).type("text/plain").entity("You are already logged in").build();

           }

           return Response.status(Response.Status.OK).type("text/plain").entity("Login successfull").build();

        }

       

      }

       

      I have tried many thing but can't get to authenticate user i might be lacking in concept of it's working but please point me in right direction i will be truly great ful.

      And if any other better way of doing authentication is present with proper tutorial it will be greatly appreciated. This is all for just the sake of learning.