Hi all
I am trying to build a security mechanism around my JAX-RS application
that is light and dynamic. I find the security scheme avaliable via
SecurityContext
a bit to coupled with the container (i.e. configuration of JDBC Realm)
and also much
to XML verbose. What I am looking for is something such as:
--
@Retention(RetentionPolicy.RUNTIME)
@Target( { ElementType.METHOD })
public @interface Audit {
boolean authorize() default true;
boolean log() default false;
AuthMechanism mechanism() default AuthMechanism.TOKEN;
}
--
where AuthMechanism.TOKEN will force the interceptor to retrieve
"Authorization: Token" headers from the request (similar with BASIC,
DIGEST...). This should then be used like:
--
@Path("/users")
@Interceptors(AuditInterceptor.class)
public class UserResource {
@GET
@Audit
@ProduceMime( { "application/xml", "application/json" })
public Order getOrder() {
// requires login
}
}
--
Which hopefully will provide flexible authentication by letting me chose how it
should be implemented (OpenID, JDBC Realm, ActiveDirectory....) and
also keep XML configuration to a minimum.
The problem I am facing is how to actually intercept the method call,
since JAX-RS (to my knowledge) has no interceptor model
(like @Interceptors from EJB 3). So in short how do I best
intercept method calls in Jersey ?
Note: Guice actually provides a mechanism for doing this using:
MethodInterceptor/MethodInvocation from aopalliance, but this
unfortunately only works if the resource is created by Guice.
Any input will be greatly appreciated:
--
Yours sincerely
Lars Tackmann