Hi,
to avoid code like the following
@GET
public Object getSecureData(@Context SecurityContext securityContext,
@Context UriInfo uriInfo) {
if (!securityContext.isSecure()) {
ResponseBuilder rb = Response.status(Status.MOVED_PERMANENTLY);
rb.entity("You must use a secure connection");
rb.location(uriInfo.getRequestUriBuilder().scheme("https").build());
throw new WebApplicationException(rb.build());
}
// deliver secure data
}
what about a method SecurityContext.ensureSecure() that throws a
WebApplication with a redirect to https, if the call was insecure?
This will result in better readeable code. Another possiblity is to use
an annotation for this. But this is only useful if we also define the
use of @RolesAllowed
@GET
public Object getSecureData(@Context SecurityContext securityContext,
@Context UriInfo uriInfo) {
securityContext.ensureSecure();
// deliver secure data
}
The runtime environment must know at set-up time, what the base uri for
corresponding http requests is. If no secure base uri was given, or
https is otherwise not supported, this method could e.g. reject the
request with status 500 and log a message.
best regards
Stephan