Hi all
I am trying to build a security mechanism around my JAX-RS application
that is light and dynamic. In that sense I find the current security
scheme to coupled to the container (i.e. JDBC Realm) and also way to
XML vebose. What I am looking for is somthing such as:
--
@Retention(RetentionPolicy.RUNTIME)
@Target( { ElementType.METHOD })
public @interface Audit {
boolean authorize() default true;
boolean log() default false;
AuthMechanism mechanism() default AuthMechanism.TOKEN;
}
--
where AuthMechanism.TOKEN will force the interceptor to retrieve
--
Authorization: Token
--
headers from the request (and similar with BASIC, DIGEST...). This
could then be used like:
--
@Path("/users")
@Interceptors(AuditInterceptor.class)
public class UserResource {
@GET
@Audit
@ProduceMime( { "application/xml", "application/json" })
public Order getOrder() {
// requires login
}
}
--
Which provides flexible authentication as it lets me chose how it
should be implemented (OpenID, JDBC Realm, ActiveDirectory....) and
also it keeps XML configuration to a minimum.
The problem I am facing is how to actually interept the method call,
since JAX-RS (to my knowledge) has no interceptor model
(like @Interceptors from EJB 3). The only solution seam to use
standard servlet technology which is something I am keen to avoid.
So in short how do I best intercept method calls in Jersey ?
Note: Guice actually provides a mechanism for doing this using:
MethodInterceptor/MethodInvocation from aopalliance, but this
unfortunately only works if the resource is created by Guice.
Any input will be greatly appreciated:
--
Yours sincerely
Lars Tackmann