java - JAX-RS (Jersey 2) - authorization using JSR 250 annotations -

java - JAX-RS (Jersey 2) - authorization using JSR 250 annotations -

intro

jersey: 2.9

this part of jersey documentation describes how provide authorization rest services. there 2 ways that:

standard servlet way, using configuration in web.xml much improve solution using jsr 250 annotations

the first approach works fine, cannot create sec work.

case 1 (using web.xml):

this illustration works. informational purpose. if want jump sec one, not work.

resource simple:

class="lang-java prettyprint-override">@path("/helloworld") public class helloworldresource { @get @produces(mediatype.text_plain) public string sayhelloworld(){ homecoming "hello world!!!"; } }

security configuration placed in web.xml file, looks that:

class="lang-xml prettyprint-override"><web-app ...> <servlet> <servlet-name>javax.ws.rs.core.application</servlet-name> </servlet> <servlet-mapping> <servlet-name>javax.ws.rs.core.application</servlet-name> <url-pattern>/rest/*</url-pattern> </servlet-mapping> <!-- security --> <security-constraint> <web-resource-collection> <url-pattern>/rest/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>boss</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>basic</auth-method> <realm-name>defaultrealm</realm-name> </login-config> </web-app>

this illustration works fine. when seek access http://{myhost}:8080/{war_name}/rest/helloworld have provide username , password. means realm , configuration in database fine. there no need show here.

case 2 (jsr 250 annotations):

this illustration not work. resource same in first example, annotations added:

class="lang-java prettyprint-override">@path("/helloworld") @permitall public class helloworldresource { @rolesallowed("boss") @get @produces(mediatype.text_plain) public string sayhelloworld(){ homecoming "hello world!!!"; } }

as see, 2 annotations added. same security policy in first example, defined using annotations insted of web.xml.

now web.xml looks that:

class="lang-xml prettyprint-override"><?xml version="1.0" encoding="utf-8"?> <web-app ...> <login-config> <auth-method>basic</auth-method> <realm-name>defaultrealm</realm-name> </login-config> </web-app>

in add-on new class added (like described in documentation):

class="lang-java prettyprint-override">@applicationpath("rest") public class myapplication extends resourceconfig { public myapplication() { super(helloworldresource.class); register(rolesalloweddynamicfeature.class); } }

this class important. see required rolesalloweddynamicfeature registered. 2 main steps: - adding annotations resource - registering rolesalloweddynamicfeature done.

problem:

second illustration not work. popup provide username , password never shows up. every time response 403 forbidden. not problem realm , database configuration since configuration works fine first example.

so question is: wrong sec implementation?

tnaks in advance.

instead of resourceconfig sub-class, seek add together web.xml block

<init-param> <param-name>com.sun.jersey.spi.container.resourcefilters</param-name> <param-value>com.sun.jersey.api.container.filter.rolesallowedresourcfilterfactory</param-value> </init-param>

java security rest jax-rs jersey-2.0