users@jersey.java.net

[Jersey] Re: looking for helping hand on securing service

From: Libor Kramolis <libor.kramolis_at_oracle.com>
Date: Thu, 7 Aug 2014 14:23:29 +0200

Hi Django.

The functionality depends on container. Jersey servlet/application must be secured by container, e.g. security-constraint and login-config web.xml elements in case of servlet container. Jersey then delegates security checks to appropriate container. Try to find out how to secure grizzly server similar way as servlet.

-libor


On 07 Aug 2014, at 10:45, Django <django013_at_soft.schwarzrot-design.de> wrote:
> Hello,
>
> just as proof of concept i coded a little server from scratch, doing http-
> digest authentication. That sample works fine - i.e. firefox pops up a dialog,
> to enter credentials and server verifies/accepts authentication ...
>
> Now I want to add the same behaviour to my jersey-services which use the
> embedded grizzly server (so I don't want servlet like configurations):
>
> I tagged the resource-class with @PermitAll
> The resource uses subpaths and i tagged different methods with different roles.
>
> I implemented a ContainerRequestFilter, which i registered to ResourceConfig.
> Additionally I registered a RolesAllowedDynmaicFeature ...
>
> May be I misunderstood the manual or missed something - behaviour of the
> service is not as expected. Not at all.
>
> Untagged resource methods or those tagged with @PermitAll trigger the
> ContainerRequestFilter, which results in a 401 response (but wrong
> Authenticate header). As the ContainerRequestFilter just vomits an exception,
> I don't know, where to change code to get the headers right ...
> The resource methods tagged with @RolesAllowed don't trigger the
> ContainerRequestFilter, just respond with 403
>
> What am I missing?
>
> I'd like to use http digest authentication using request interceptors like
> ContainerRequestFilter. I did not find any sample using digest authentication
> without servlet configuration.
> I found a sample related to jersey called atompub-contacts-server, but that
> sample uses basic authentication and uses jersey 1.0.2 - which has slightly
> different api (and uses internal classes :( ).
>
>
> Any hint is appreciated.
>
> br Django
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.