[Jersey] Re: looking for helping hand on securing service

From: Libor Kramolis <>
Date: Thu, 7 Aug 2014 14:23:29 +0200

Hi Django.

The functionality depends on container. Jersey servlet/application must be secured by container, e.g. security-constraint and login-config web.xml elements in case of servlet container. Jersey then delegates security checks to appropriate container. Try to find out how to secure grizzly server similar way as servlet.


On 07 Aug 2014, at 10:45, Django <> wrote:
> Hello,
> just as proof of concept i coded a little server from scratch, doing http-
> digest authentication. That sample works fine - i.e. firefox pops up a dialog,
> to enter credentials and server verifies/accepts authentication ...
> Now I want to add the same behaviour to my jersey-services which use the
> embedded grizzly server (so I don't want servlet like configurations):
> I tagged the resource-class with @PermitAll
> The resource uses subpaths and i tagged different methods with different roles.
> I implemented a ContainerRequestFilter, which i registered to ResourceConfig.
> Additionally I registered a RolesAllowedDynmaicFeature ...
> May be I misunderstood the manual or missed something - behaviour of the
> service is not as expected. Not at all.
> Untagged resource methods or those tagged with @PermitAll trigger the
> ContainerRequestFilter, which results in a 401 response (but wrong
> Authenticate header). As the ContainerRequestFilter just vomits an exception,
> I don't know, where to change code to get the headers right ...
> The resource methods tagged with @RolesAllowed don't trigger the
> ContainerRequestFilter, just respond with 403
> What am I missing?
> I'd like to use http digest authentication using request interceptors like
> ContainerRequestFilter. I did not find any sample using digest authentication
> without servlet configuration.
> I found a sample related to jersey called atompub-contacts-server, but that
> sample uses basic authentication and uses jersey 1.0.2 - which has slightly
> different api (and uses internal classes :( ).
> Any hint is appreciated.
> br Django