users@jersey.java.net

[Jersey] Re: Using Security Constraints with Filters (tomcat)

From: Christopher Piggott <cpiggott_at_gmail.com>
Date: Wed, 9 Mar 2011 07:24:43 -0500

> do I have to check for the appropiate role at the beginning of each web
> method?

Do you mean "Do I have to annotate each resource method?" If that's
what you mean: you don't HAVE to, but you can if you want. Most of
the time I have my resources organized such that I have a single
@RolesAllowed annotating the entire resource class. Only if a method
is more restrictive do I usually annotate a method within.

> Is there a way to use the security annotations with a filter in tomcat?

This definitely all works with tomcat. With the standard filter check
out RolesAllowedResourceFilterFactory ... if you're building a custom
filter, make it extend ContainerRequestFilter, and have it use
containerRequest.setSecurityContext()

I hope that's helpful, if not I'll try again.

--Chris

> http://jersey.java.net/nonav/apidocs/latest/jersey/com/sun/jersey/api/container/filter/RolesAllowedResourceFilterFactory.html
> [2]
> http://download.java.net/maven/2/com/sun/jersey/samples/atompub-contacts/1.6-ea05/atompub-contacts-1.6-ea05-project.zip
>
> On 03/08/2011 08:47 PM, luksurious wrote:
>>
>> Hey,
>>
>> I'm using tomcat with jersey and found the only way to achieve our custom
>> authentication scheme by using a filter.
>> In this filter I register a Principal like I would in a tomcat Valve.
>> Then to use security annotations like @RolesAllowed I specified a security
>> constraint element in my web.xml file.
>> It appears however that the web.xml filtering and checking if the current
>> role is allowed happens before my filter is processed and the appropiate
>> principal is registered.
>> Omitting the auth-constraint leads to proper processing of the filter, but
>> disables the security annotations.
>>
>> Is there a way to use the security annotations with a filter in tomcat? Or
>> do I have to check for the appropiate role at the beginning of each web
>> method?
>>
>> Thanks,
>> Luke
>>
>> --
>> View this message in context:
>> http://jersey.576304.n2.nabble.com/Using-Security-Constraints-with-Filters-tomcat-tp6138107p6138107.html
>> Sent from the Jersey mailing list archive at Nabble.com.
>>
>>
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.