users@jersey.java.net

Re: Security Interceptors

From: Martin Grotzke <martin.grotzke_at_javakaffee.de>
Date: Sun, 23 Mar 2008 17:55:58 +0100

Hi Lars,

one thing I could think of is to implement your own component provider,
that checks if the class to instantiate has your @Interceptors
annotation or any method has e.g. your @Audit annotation. For these
classes you could return a proxied instance (e.g. using cglib), so that
you can intercept method invocations.

This approach works for root resources and subresources that are created
by jersey (you can return a class object from a resource method).
For subresources that are instantiated directly within resource methods
(e.g. return a new OrderResource for the current user) instead of using
jersey / the component provider, there's still a final solution missing
- AFAIK.

As an example how to write a custom component provider you might take a
look at pauls posting about integration of spring and jersey ([1]).

Cheers,
Martin


[1] http://blogs.sun.com/sandoz/entry/integrating_jersey_and_spring_take


On Sun, 2008-03-23 at 17:11 +0100, Lars Tackmann wrote:
> Hi all
>
> I am trying to build a security mechanism around my JAX-RS application
> that is light and dynamic. I find the security scheme avaliable via
> SecurityContext
> a bit to coupled with the container (i.e. configuration of JDBC Realm)
> and also much
> to XML verbose. What I am looking for is something such as:
>
> --
> @Retention(RetentionPolicy.RUNTIME)
> @Target( { ElementType.METHOD })
> public @interface Audit {
> boolean authorize() default true;
> boolean log() default false;
> AuthMechanism mechanism() default AuthMechanism.TOKEN;
> }
> --
>
> where AuthMechanism.TOKEN will force the interceptor to retrieve
> "Authorization: Token" headers from the request (similar with BASIC,
> DIGEST...). This should then be used like:
>
> --
> @Path("/users")
> @Interceptors(AuditInterceptor.class)
> public class UserResource {
> @GET
> @Audit
> @ProduceMime( { "application/xml", "application/json" })
> public Order getOrder() {
> // requires login
> }
> }
> --
>
> Which hopefully will provide flexible authentication by letting me chose how it
> should be implemented (OpenID, JDBC Realm, ActiveDirectory....) and
> also keep XML configuration to a minimum.
>
> The problem I am facing is how to actually intercept the method call,
> since JAX-RS (to my knowledge) has no interceptor model
> (like @Interceptors from EJB 3). So in short how do I best
> intercept method calls in Jersey ?
>
> Note: Guice actually provides a mechanism for doing this using:
> MethodInterceptor/MethodInvocation from aopalliance, but this
> unfortunately only works if the resource is created by Guice.
>
> Any input will be greatly appreciated:
>
-- 
Martin Grotzke
http://www.javakaffee.de/blog/