users@jersey.java.net

Security Interceptors

From: Lars Tackmann <lars_at_randompage.org>
Date: Sun, 23 Mar 2008 12:19:35 +0100

Hi all

I am trying to build a security mechanism around my JAX-RS application
that is light and dynamic. In that sense I find the current security
scheme to coupled to the container (i.e. JDBC Realm) and also way to
XML vebose. What I am looking for is somthing such as:

--
@Retention(RetentionPolicy.RUNTIME)
@Target( { ElementType.METHOD })
public @interface Audit {
	boolean authorize() default true;
	boolean log() default false;
        AuthMechanism mechanism() default AuthMechanism.TOKEN;
}
--
where  AuthMechanism.TOKEN will force the interceptor to retrieve
--
Authorization: Token
--
headers from the request (and similar with BASIC, DIGEST...). This
could then be used like:
--
@Path("/users")
@Interceptors(AuditInterceptor.class)
public class UserResource {
     @GET
     @Audit
     @ProduceMime( { "application/xml", "application/json" })
     public Order getOrder() {
         // requires login
     }
}
--
Which provides flexible authentication as it lets me chose how it
should be implemented (OpenID, JDBC Realm, ActiveDirectory....) and
also it keeps XML configuration to a minimum.
The problem I am facing is how to actually interept the method call,
since JAX-RS (to my knowledge) has no interceptor model
 (like @Interceptors from EJB 3). The only solution seam to use
standard servlet technology which is something I am keen to avoid.
 So in short how do I best intercept method calls in Jersey ?
Note: Guice actually provides a mechanism for doing this using:
MethodInterceptor/MethodInvocation from aopalliance, but this
unfortunately only works if the resource is created by Guice.
Any input will be greatly appreciated:
-- 
Yours sincerely
Lars Tackmann