users@jersey.java.net

[Jersey] looking for helping hand on securing service

From: Django <django013_at_soft.schwarzrot-design.de>
Date: Thu, 7 Aug 2014 10:45:03 +0200

Hello,

just as proof of concept i coded a little server from scratch, doing http-
digest authentication. That sample works fine - i.e. firefox pops up a dialog,
to enter credentials and server verifies/accepts authentication ...

Now I want to add the same behaviour to my jersey-services which use the
embedded grizzly server (so I don't want servlet like configurations):

I tagged the resource-class with @PermitAll
The resource uses subpaths and i tagged different methods with different roles.

I implemented a ContainerRequestFilter, which i registered to ResourceConfig.
Additionally I registered a RolesAllowedDynmaicFeature ...

May be I misunderstood the manual or missed something - behaviour of the
service is not as expected. Not at all.

Untagged resource methods or those tagged with @PermitAll trigger the
ContainerRequestFilter, which results in a 401 response (but wrong
Authenticate header). As the ContainerRequestFilter just vomits an exception,
I don't know, where to change code to get the headers right ...
The resource methods tagged with @RolesAllowed don't trigger the
ContainerRequestFilter, just respond with 403

What am I missing?

I'd like to use http digest authentication using request interceptors like
ContainerRequestFilter. I did not find any sample using digest authentication
without servlet configuration.
I found a sample related to jersey called atompub-contacts-server, but that
sample uses basic authentication and uses jersey 1.0.2 - which has slightly
different api (and uses internal classes :( ).


Any hint is appreciated.

br Django