users@jersey.java.net

[Jersey] Re: looking for helping hand on securing service

From: Libor Kramolis <libor.kramolis_at_oracle.com>
Date: Thu, 7 Aug 2014 23:04:55 +0200

Hi Django.

Iím involving Grizzly user group because Iím convinced it is necessary to setup digest authentication using Grizzly API.

-libor


On 07 Aug 2014, at 15:58, Django <django013_at_soft.schwarzrot-design.de> wrote:

> Hi Libor,
>
> thank you for your attention.
>
> On Thursday 07 August 2014 - 14:23:29, Libor Kramolis wrote:
>> The functionality depends on container. Jersey servlet/application must be
>> secured by container, e.g. security-constraint and login-config web.xml
>
> well, I don't want to do configuration by xml-coding
>
>> ... Jersey then delegates security checks to appropriate container. Try to
>> find out how to secure grizzly server similar way as servlet.
>
> Referring to the jersey sample "https-clientserver-grizzly" - that's the way,
> I'd like to setup my service.
>
> I did not find a working sample using digest authentication. May be I got
> things wrong. Jersey userguide states (5.9.1): Jersey supports Basic and
> Digest Http authentication.
>
> I wonder, how that support looks like?
>
> When I look at AuthenticationExceptionMapper it looks like I have to code the
> Authentication header myself. That's no problem, but if there's any support
> for authentication in jersey, I would like to use it.
>
> The @RolesAllowed annotation looks like resource filtering to me, but not as
> authorization support. So what's the right way to get into play when such a
> resource will be requested without authentication header?
>
> Is it possible to mix @RolesAllowed with ContainerRequestFilter?
>
> The other way would be, extend each resource method with @Context HttpHeaders
> and do all restrictions myself? Does it mean, I may not use @RolesAllowed
> annotations?
>
>
> br Django