Interesting, thanks.
I'm also starting to play with Spring Security and Apache Shiro.
I like to avoid custom code, if possible. :)
Regards
Alberto
On Fri, 2014-05-09 at 13:36 +0200, Martynas Jusevičius wrote:
> Alberto,
>
> you could drop <security-constraint> and write your own
> ContainterRequestFilter for authentication. Here's an example:
> https://github.com/jersey/jersey/blob/master/examples/https-clientserver-grizzly/src/main/java/org/glassfish/jersey/examples/httpsclientservergrizzly/SecurityFilter.java
>
>
> Martynas
> graphityhq.com
>
> On Fri, May 9, 2014 at 10:51 AM, Alberto Brosich
> <abrosich_at_ogs.trieste.it> wrote:
> >
> > Hi Dies,
> >
> > my logic is simple:
> >
> > if (dataAvailability.compareTo("public") != 0 &&
> > httpServletRequest.getUserPrincipal() == null) {
> > throw new WebApplicationException(Response.Status.FORBIDDEN);
> > }
> >
> > the problem is that I have authorization information only when
> > security-constraint is present in web.xml, but in that case unauthorized
> > accesses are not permitted (I need it because some data are "public").
> >
> > Just a summary:
> >
> > a) "<security-constraint>" in web xml:
> > - client connect without authentication information (username and
> > password) and tomcat gives error 401
> > - client connect with authentication information (username and password)
> > and I can access the private resource
> >
> > b) NO "<security-constraint>" in web xml:
> > No authentication information from httpServletRequest.getUserPrincipal()
> > so make no difference if client sends authentication information.
> > In both cases client can access "public" data and obtains 403 for
> > "private" data.
> >
> > Should be:
> >
> > Public Private
> > Unauthorized 200 403
> > Authorized 200 200
> >
> >
> > (Unauthorized means that client do not send authentication information)
> >
> > Regards
> >
> > Alberto
> >
> >
> > On Thu, 2014-05-08 at 22:57 +0000, Koper, Dies wrote:
> >> Hi Alberto,
> >>
> >> >- if I have a "security-constraint" section in web.xml protecting that
> >> >resource, unauthorized accesses are not permitted.
> >>
> >> In which case Tomcat returns a 403, which is what you said you wanted?
> >>
> >> Regards,
> >> Dies Koper
> >>
> >>
> >> -----Original Message-----
> >> From: Alberto Brosich [mailto:abrosich_at_ogs.trieste.it]
> >> Sent: Friday, May 09, 2014 1:08 AM
> >> To: users_at_jersey.java.net
> >> Subject: [Jersey] Permit both authorized and unauthorized access
> >>
> >>
> >> Hi,
> >>
> >> I'm new to this list.
> >> I have a simple problem but I cannot find a simple solution.
> >>
> >> I have a web service written using Jersey 2.8 and deployed on tomcat 7.
> >>
> >> A resource of that ws has to be accessed by all users (authorized or
> >> not). In case of unauthorized access (no given username and password)
> >> some resource could not be accessible and ws should return 403 error.
> >>
> >> The problem is that:
> >> - if I have a "security-constraint" section in web.xml protecting that
> >> resource, unauthorized accesses are not permitted.
> >> - If I remove "security-constraint" and client send authentication
> >> information (BASIC), the servlet request does not contain any
> >> authentication data (httpServletRequest.getUserPrincipal() is null).
> >>
> >> I know that is not strictly a Jersey matter but some of you could have
> >> already solved this problem.
> >>
> >> Regards
> >>
> >> Alberto
> >>
> >>
> >>
> >>
> >
> >