You're probably right. In my case, however, I will base it on the
specific Principal as well because I need users who upload images to be
able to edit them (as well as the Administrator role).
Gili
Marc Hadley (via Nabble) wrote:
> On Mar 2, 2009, at 8:37 PM, Gili wrote:
>
> >
> > It's not clear how users, groups and roles are related in Glassfish.
> >
> > Glassfish's sun-web.xml lets you associate multiple principals and
> > groups
> > with each role, but it's not clear how to get at that information
> > using
> > javax.ws.rs.core.SecurityContext. SecurityContext lets you get the
> > user
> > principal, but how do I get the list of groups and roles associated
> > with
> > this principal? I can't seem to find good documentation on this
> > topic. Any
> > ideas?
> >
> I'm no security expert so take this with a grain of salt but I think
> the idea is that rather than getting a list of groups and roles you
> check SecurityContext.isUserInRole for whatever role is needed to
> access the protected resource. IOW, you base your security decisions
> on roles alone.
>
> Marc.
>
> > Steve Sims wrote:
> >>
> >> Hi Gili,
> >>
> >> I've only written a test harness (using the pre-Jersey 1.0.2
> >> HttpURLConnection based client not the new Apache based one) to
> >> communicate with my local machine using HTTPS, so I don't known too
> >> much
> >> about Java's security mechanisms but basically, Java keeps its
> >> trusted
> >> certificates in keyfiles that are modified using the keytool
> >> application
> >> supplied with the Java distribution and therefore if you have a
> >> trusted
> >> certificate for the server imported, or the certificate's been
> >> issued by
> >> a certificate authority whose certificate is in the trust store,
> >> then it
> >> should take care of everything for you when you open up a connection.
> >>
> >> If you don't have a trusted CA signed (i.e. commercial) certificate
> >> then
> >> you can create a keyfile containing your server's key and distribute
> >> that along with the client. I did the following within my test
> >> harness:
> >>
> >> 1) Point firefox towards https://localhost:8081/v1/core/
> >> 2) Click Tools->Page Info
> >> 3) Click the Security tab
> >> 4) Click the View Certificate button
> >> 5) Click the Details tab
> >> 6) Click the Export button and export the file as a PEM to somewhere
> >> 7) Bring up a shell to the place that the PEM file is stored
> >> 8) Create a new keyfile: keytool -importcert -alias "localhost" -file
> >> localhost.pem
> >> 9) Enter a password for the file such as "adminadmin"
> >>
> >> You then need to supply some system properties in order to get the
> >> JVM
> >> to load your keystores. Also, if you're testing on the local machine,
> >> because there's no DNS to resolve "localhost", I have to do the
> >> following test only HostnameVerifier hack:
> >>
> >> HttpsURLConnection.setDefaultHostnameVerifier(
> >> new javax.net.ssl.HostnameVerifier() {
> >>
> >> public boolean verify(String hostname, SSLSession sslSession) {
> >> if (hostname.equals("localhost")) {
> >> return true;
> >> }
> >> return false;
> >> }
> >> });
> >>
> >> System.setProperty("javax.net.ssl.keyStore", <generated keystore
> >> filename>);
> >> System.setProperty("javax.net.ssl.keyStorePassword", "adminadmin");
> >> System.setProperty("javax.net.ssl.trustStore", <generated keystore
> >> filename>);
> >> System.setProperty("javax.net.ssl.trustStorePassword", "adminadmin");
> >>
> >> There are ways to programmatically update the default keystore
> >> however
> >> using classes such as java.security.KeyStore etc.
> >>
> >> It helps, whilst trying to get it working to turn on the debug as
> >> well:
> >>
> >> System.setProperty("javax.net.debug", "ssl,handshake,record");
> >>
> >> Anyway, there's lots of information here that will explain things
> >> better
> >> than I have - there's just a lot to it! :
> >>
> >>
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> >>
> >> As far as the username and password issue goes, are you talking about
> >> HTTP BASIC authentication? If so, the new Apache based Jersey
> >> client is
> >> probably the way to go, see
> >> https://jersey.dev.java.net/servlets/ReadMsg?list=users&msgNo=4165
> <https://jersey.dev.java.net/servlets/ReadMsg?list=users&msgNo=4165>
> >>
> >> Hope this helps a little, it's quite a big area and took me a while
> >> to
> >> just get something working - then as soon as I had it I moved on!
> >>
> >> Steve
> >>
> >> Gili wrote:
> >>> Hi,
> >>>
> >>> What is the best way to communicate over SSL using Jersey? I
> >>> expect the
> >>> client to:
> >>>
> >>> 1) Request and verify the server certificate
> >>> 2) Encrypt and send the data to the server
> >>>
> >>> I have the following questions:
> >>>
> >>> - How do I request the server certificate (assuming it is found in
> >>> a CA)?
> >>> - How do I verify it?
> >>> - How do I configure an event listener to prompt me for a user
> >>> name and
> >>> password when it's needed?
> >>> - Do I need a commercial SSL certificate? Do I lose anything by
> >>> hard-coding
> >>> my public key into the client? Granted I'll need to issue new
> >>> clients if
> >>> the
> >>> server key changes, but is there anything else?
> >>>
> >>> Thank you,
> >>> Gili
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@...
> <http://n2.nabble.com/user/SendEmail.jtp?type=node&node=2415466&i=0>
> >> For additional commands, e-mail: users-help@...
> <http://n2.nabble.com/user/SendEmail.jtp?type=node&node=2415466&i=1>
> >>
> >>
> >>
> >
> > --
> > View this message in context:
> http://n2.nabble.com/Full-fledged-SSL-under-Jersey-tp2402900p2412855.html
> > Sent from the Jersey mailing list archive at Nabble.com.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@...
> <http://n2.nabble.com/user/SendEmail.jtp?type=node&node=2415466&i=2>
> > For additional commands, e-mail: users-help@...
> <http://n2.nabble.com/user/SendEmail.jtp?type=node&node=2415466&i=3>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> <http://n2.nabble.com/user/SendEmail.jtp?type=node&node=2415466&i=4>
> For additional commands, e-mail: users-help@...
> <http://n2.nabble.com/user/SendEmail.jtp?type=node&node=2415466&i=5>
>
>
>
> ------------------------------------------------------------------------
> This email is a reply to your post @
> http://n2.nabble.com/Full-fledged-SSL-under-Jersey-tp2402900p2415466.html
> You can reply by email or by visting the link above.
>
--
View this message in context: http://n2.nabble.com/Full-fledged-SSL-under-Jersey-tp2402900p2416471.html
Sent from the Jersey mailing list archive at Nabble.com.