Hi Alberto,
The problem is in the following:
>b) NO "<security-constraint>" in web xml:
>No authentication information from httpServletRequest.getUserPrincipal()
>so make no difference if client sends authentication information.
The client may not send authentication information unless the server asks for it (at least that's the case for web browsers).
And Tomcat doesn't populate the principal attribute of HttpServetRequest unless , <security-constraint>" is set in web xml.
If your client is coded to send its credentials using the Authorization HTTP header even if not prompted for it by the server, you may be able to check this HTTP request header "Authorization" and base64 decode the value after "Basic ", pass the username and password to HttpServetRequest#login to check the credentials are valid, after which getUserPrincipal should work.
Otherwise, I think there is no solution other than splitting up your API (the resource) into one for public and one for authenticated access, i.e. two different URIs.
Regards,
Dies Koper
-----Original Message-----
From: Alberto Brosich [mailto:abrosich_at_ogs.trieste.it]
Sent: Friday, May 09, 2014 6:51 PM
To: users_at_jersey.java.net
Subject: [Jersey] Re: Permit both authorized and unauthorized access
Hi Dies,
my logic is simple:
if (dataAvailability.compareTo("public") != 0 &&
httpServletRequest.getUserPrincipal() == null) {
throw new WebApplicationException(Response.Status.FORBIDDEN);
}
the problem is that I have authorization information only when
security-constraint is present in web.xml, but in that case unauthorized
accesses are not permitted (I need it because some data are "public").
Just a summary:
a) "<security-constraint>" in web xml:
- client connect without authentication information (username and
password) and tomcat gives error 401
- client connect with authentication information (username and password)
and I can access the private resource
b) NO "<security-constraint>" in web xml:
No authentication information from httpServletRequest.getUserPrincipal()
so make no difference if client sends authentication information.
In both cases client can access "public" data and obtains 403 for
"private" data.
Should be:
Public Private
Unauthorized 200 403
Authorized 200 200
(Unauthorized means that client do not send authentication information)
Regards
Alberto
On Thu, 2014-05-08 at 22:57 +0000, Koper, Dies wrote:
> Hi Alberto,
>
> >- if I have a "security-constraint" section in web.xml protecting that
> >resource, unauthorized accesses are not permitted.
>
> In which case Tomcat returns a 403, which is what you said you wanted?
>
> Regards,
> Dies Koper
>
>
> -----Original Message-----
> From: Alberto Brosich [mailto:abrosich_at_ogs.trieste.it]
> Sent: Friday, May 09, 2014 1:08 AM
> To: users_at_jersey.java.net
> Subject: [Jersey] Permit both authorized and unauthorized access
>
>
> Hi,
>
> I'm new to this list.
> I have a simple problem but I cannot find a simple solution.
>
> I have a web service written using Jersey 2.8 and deployed on tomcat 7.
>
> A resource of that ws has to be accessed by all users (authorized or
> not). In case of unauthorized access (no given username and password)
> some resource could not be accessible and ws should return 403 error.
>
> The problem is that:
> - if I have a "security-constraint" section in web.xml protecting that
> resource, unauthorized accesses are not permitted.
> - If I remove "security-constraint" and client send authentication
> information (BASIC), the servlet request does not contain any
> authentication data (httpServletRequest.getUserPrincipal() is null).
>
> I know that is not strictly a Jersey matter but some of you could have
> already solved this problem.
>
> Regards
>
> Alberto
>
>
>
>