users@jersey.java.net

[Jersey] Re: looking for helping hand on securing service

From: Oleksiy Stashok <oleksiy.stashok_at_oracle.com>
Date: Thu, 07 Aug 2014 15:19:57 -0700

Hi,

in Grizzly there is no out-of-the-box support for digest authentication,
but it's possible for write it using Grizzly Filters API... still I'm
not sure how it supposed to work along with Jersey annotations (if it's
needed).

If you chose to implement this using Grizzly Filters - please let me
know, I'll try to provide you more information.

Thanks.

WBR,
Alexey.

On 07.08.14 14:04, Libor Kramolis wrote:
> Hi Django.
>
> Iím involving Grizzly user group because Iím convinced it is necessary to setup digest authentication using Grizzly API.
>
> -libor
>
>
> On 07 Aug 2014, at 15:58, Django <django013_at_soft.schwarzrot-design.de> wrote:
>
>> Hi Libor,
>>
>> thank you for your attention.
>>
>> On Thursday 07 August 2014 - 14:23:29, Libor Kramolis wrote:
>>> The functionality depends on container. Jersey servlet/application must be
>>> secured by container, e.g. security-constraint and login-config web.xml
>> well, I don't want to do configuration by xml-coding
>>
>>> ... Jersey then delegates security checks to appropriate container. Try to
>>> find out how to secure grizzly server similar way as servlet.
>> Referring to the jersey sample "https-clientserver-grizzly" - that's the way,
>> I'd like to setup my service.
>>
>> I did not find a working sample using digest authentication. May be I got
>> things wrong. Jersey userguide states (5.9.1): Jersey supports Basic and
>> Digest Http authentication.
>>
>> I wonder, how that support looks like?
>>
>> When I look at AuthenticationExceptionMapper it looks like I have to code the
>> Authentication header myself. That's no problem, but if there's any support
>> for authentication in jersey, I would like to use it.
>>
>> The @RolesAllowed annotation looks like resource filtering to me, but not as
>> authorization support. So what's the right way to get into play when such a
>> resource will be requested without authentication header?
>>
>> Is it possible to mix @RolesAllowed with ContainerRequestFilter?
>>
>> The other way would be, extend each resource method with @Context HttpHeaders
>> and do all restrictions myself? Does it mean, I may not use @RolesAllowed
>> annotations?
>>
>>
>> br Django