Hi Dies,
my logic is simple:
if (dataAvailability.compareTo("public") != 0 &&
httpServletRequest.getUserPrincipal() == null) {
throw new WebApplicationException(Response.Status.FORBIDDEN);
}
the problem is that I have authorization information only when
security-constraint is present in web.xml, but in that case unauthorized
accesses are not permitted (I need it because some data are "public").
Just a summary:
a) "<security-constraint>" in web xml:
- client connect without authentication information (username and
password) and tomcat gives error 401
- client connect with authentication information (username and password)
and I can access the private resource
b) NO "<security-constraint>" in web xml:
No authentication information from httpServletRequest.getUserPrincipal()
so make no difference if client sends authentication information.
In both cases client can access "public" data and obtains 403 for
"private" data.
Should be:
Public Private
Unauthorized 200 403
Authorized 200 200
(Unauthorized means that client do not send authentication information)
Regards
Alberto
On Thu, 2014-05-08 at 22:57 +0000, Koper, Dies wrote:
> Hi Alberto,
>
> >- if I have a "security-constraint" section in web.xml protecting that
> >resource, unauthorized accesses are not permitted.
>
> In which case Tomcat returns a 403, which is what you said you wanted?
>
> Regards,
> Dies Koper
>
>
> -----Original Message-----
> From: Alberto Brosich [mailto:abrosich_at_ogs.trieste.it]
> Sent: Friday, May 09, 2014 1:08 AM
> To: users_at_jersey.java.net
> Subject: [Jersey] Permit both authorized and unauthorized access
>
>
> Hi,
>
> I'm new to this list.
> I have a simple problem but I cannot find a simple solution.
>
> I have a web service written using Jersey 2.8 and deployed on tomcat 7.
>
> A resource of that ws has to be accessed by all users (authorized or
> not). In case of unauthorized access (no given username and password)
> some resource could not be accessible and ws should return 403 error.
>
> The problem is that:
> - if I have a "security-constraint" section in web.xml protecting that
> resource, unauthorized accesses are not permitted.
> - If I remove "security-constraint" and client send authentication
> information (BASIC), the servlet request does not contain any
> authentication data (httpServletRequest.getUserPrincipal() is null).
>
> I know that is not strictly a Jersey matter but some of you could have
> already solved this problem.
>
> Regards
>
> Alberto
>
>
>
>