Hi Andrew,
Welcome to the list.
On security in general we will be adding support for @RolesAllowed
annotated, for example:
@GET
@Path("verifyLogin")
@ProduceMime("text/plain")
@RolesAllows("admin")
public String verifyLogin(@Context SecurityContext sc) { ... }
I am not sure if that will meet your needs or not. Other than that
what Martin's link to ComponentProvider may help so you can do "IoC-
light".
On May 6, 2008, at 10:17 AM, Andrew Cole wrote:
> Thanks for that info, Martin. Unfortunately, I am not using Spring,
> but EJBs on JBoss with Jersey and JAXB. Any other ideas?
>
> Also, I mentioned that in the mean-time I have been using code like:
> public String verifyLogin(@QueryParam("auth") SessionToken token) {
> // do something with token...
> }
> and raising a WebApplicationException in my SessionToken constructor
> if the token is invalid, etc.. When I do this, I always get a 400 BAD
> REQUEST error even when I specify a different status code in my
> WebApplicationException. This makes sense, since Jersey must catch
> Exceptions thrown while trying to marshall objects and return the 400
> itself, but I would like to override this behavior if we don't come up
> with another way for me to achieve my desired functionality.
>
We will be fixing this (slated for 0.8) so you will be able to
customize the mapping of exceptions to status codes and representations.
Paul.
> Andrew
>
> On Mon, May 5, 2008 at 11:56 PM, Martin Grotzke
> <martin.grotzke_at_freiheit.com> wrote:
>> Hi Andrew,
>>
>> are you using an IoC-container that provides AOP-features, like e.g.
>> spring? In this case you might use AOP functionality of spring an
>> define
>> your pointcuts and advices accordingly. Your resource classes
>> then must
>> be managed by the IoC-container, that AOP stuff is applied.
>>
>> For spring (2.5) the introduction to their AOP integration is
>> here [1].
>>
>> Cheers,
>> Martin
>>
>>
>> [1] http://static.springframework.org/spring/docs/2.5.x/reference/
>> aop.html
>>
>>
>>
>>
>> On Mon, 2008-05-05 at 15:37 -0700, Andrew Cole wrote:
>>> Hi all.
>>>
>>> Just joined the list and I've read through some of the archives and
>>> didn't find quite what I was looking for. Nearest thing seems to be
>>> the Security Interceptors thread from late March.
>>>
>>> In my app I have an authentication token coming in as a query param
>>> for methods that need authentication. I can decode the
>>> authentication
>>> token and create an object with information about the user. I would
>>> like to be able to easily specify which methods need authentication,
>>> and then have the token information made available to those methods.
>>> I'm thinking that ideally I could have an annotation that works
>>> like:
>>>
>>> @GET
>>> @Path("verifyLogin")
>>> @ProduceMime("text/plain")
>>> @MyAuthAnnotation // indicates this method requires a valid
>>> session token
>>> public String verifyLogin(@MyAuthQueryParam SessionToken token) { //
>>> session token initialized from the value of the query param
>>> passed in
>>> as argument
>>> return token.getUsername() + " is logged in and has account
>>> ID: " +
>>> token.getAccountId();
>>> }
>>>
>>> The important thing is to make it as simple as possible to require
>>> authentication for a method, since this code will be used over and
>>> over for many methods.
>>>
>>> I have tried using the regular QueryParam syntax and making my
>>> SessionToken constructor accept a String argument. In the
>>> constructor
>>> I can verify that the token is valid and decode the user
>>> information.
>>> This works well except when someone calls the method without
>>> including
>>> the query parameter in the request at all. In this case, the
>>> QueryParam-annotated argument to my method is null (and I don't want
>>> to have to check for nulls in every method that requires
>>> authentication).
>>>
>>> Any ideas on how I can go about this?
>>>
>>> Thanks,
>>> Andrew
>>>
>>> --------------------------------------------------------------------
>>> -
>>> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
>>> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>