users@jersey.java.net

Re: Basic User authentication using SecurityContext

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Tue, 01 Apr 2008 12:41:34 +0200

Lars Tackmann wrote:
> On Mon, Mar 31, 2008 at 4:31 PM, Leif Gensert <leifg_at_gmx.de> wrote:
>> For my implementation I need to access data sources using username &
>> password. Therefore the client must deliver these information to the
>> web-service.
>>
>> I'd like to use the basic authorization of http (something like this:
>> "Authorization: Basic c2FkZmFzZGY6c2FkZmRzYWRzYWY=")
>>
>> On the other side I need to get username and password for access. Is
>> there a way to get this information using @Content SecurityContext? Or
>> do I need to set the Authorization String manually.
>>
>> Leif Gensert
>
> I think that SecurityContext is intended for container managed seurity
> (i.e. JDBC realm).

That is correct. Our approach is to try and rely as much as possible on
the container for security support. But as I understand at the moment
there are way too many steps to configure (or plugin) for GF.

So i am wondering if we should consider a general req/res filter
mechanism that could do request verification and response modification.
A serlet filter would be ideal if the request processing filter part can
provide the SecurityContext implementation.


> You can
> however inject the http headers into your class yourself and the info
> from there i.e:
>
> @Context
> private HTTPHeaders headers;
>
> and decode the headers yourself (I have a example of that here
> http://svn.randompage.org/java/jeeSamples/jax-rs/bookmarking/src/main/java/org/randompage/samples/jaxrs/bookmarking/common/Utils.java).
>
> As for the client you can set the appropiate info using the splendid
> JAX-RS client - I also have a example of this here
> http://svn.randompage.org/java/jeeSamples/jax-rs/bookmarking/src/test/java/org/randompage/samples/jaxrs/bookmarking/test/WSTest.java
>

I would really like to provide pluggable auth mechanisms as part of the
client API. e.g. to configure the Client to auth for all WebResource
instances or configure the WebResource to use auth that overrides that
of the Client.

A general client filter mechanism is already in there that can support
such auth mechanisms. I can send more details if you like.

Paul. 

-- 
| ? + ? = To question
----------------\
    Paul Sandoz
         x38109
+33-4-76188109
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.