Tuesday, January 21, 2014



5 Securing RESTful Web Services

This chapter describes how to secure WebLogic Web services that conform to the Representational State Transfer (REST) architectural style using Java API for RESTful Web Services (JAX-RS).
This chapter includes the following sections:

About RESTful Web Service Security

You can secure your RESTful Web services using one of the following methods to support authentication, authorization, or encryption:

Securing RESTful Web Services Using web.xml

You secure RESTful Web services using the web.xml deployment descriptor as you would for other Java EE Web applications. For complete details, see "Developing Secure Web Applications" in Programming Security for Oracle WebLogic Server.
For example, to secure your RESTful Web service using basic authentication, perform the following steps:
  1. Define a  for each set of RESTful resources (URIs) that you plan to protect.
  2. Use the  element to define the type of authentication you want to use and the security realm to which the security constraints will be applied.
  3. Define one or more security roles using the  tag and map them to the security constraints defined in step 1. For more information, see "security-role" in Programming Security for Oracle WebLogic Server.
  4. To enable encryption, add the  element and set the  subelement to CONFIDENTIAL. For more information, see"user-data-constraint" in Programming Security for Oracle WebLogic Server.
For more details,
Example 5-1 Securing RESTful Web Services Using Basic Authentication

    
        RestServlet
        com.sun.jersey.spi.container.servlet.ServletContainer
    
    
        RestServlet
        /*
    
    
         
             Orders
             /orders
             GET
             POST
         
         
             admin 
         
    
        
            BASIC
            default
        
    
        admin
    

Securing RESTful Web Services Using SecurityContext

The javax.ws.rs.core.SecurityContext interface provides access to security-related information for a request. The SecurityContext provides functionality similar tojavax.servlet.http.HttpServletRequest, enabling you to access the following security-related information:
  • java.security.Principal object containing the name of the user making the request.
  • Authentication type used to secure the resource, such as BASIC_AUTH, FORM_AUTH, and CLIENT_CERT_AUTH.
  • Whether the authenticated user is included in a particular role.
  • Whether the request was made using a secure channel, such as HTTPS.
You access the SecurityContext by injecting an instance into a class field, setter method, or method parameter using the javax.ws.rs.core.Context annotation.
For more information, see the Javadoc at:
Figure 5-0 shows how to inject an instance of SecurityContext into the sc method parameter using the @Context annotation, and check whether the authorized user is included in the admin role before returning the response.
Example 5-2 Securing RESTful Web Service Using SecurityContext
package samples.helloworld;
 
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.Context;

...

@Path("/stateless")
@Stateless(name = "JaxRSStatelessEJB")
public class StlsEJBApp {
...
        @GET
        @Produces("text/plain;charset=UTF-8")
        @Path("/hello")
        public String sayHello(@Context SecurityContext sc) {
                if (sc.isUserInRole("admin"))  return "Hello World!";
                throw new SecurityException("User is unauthorized.");
        }

Securing RESTful Web Services Using Annotations

The javax.annotation.security package provides annotations, defined in Table 5-1, that you can use to secure your RESTful Web services. For more information, see the Javadoc at: http://docs.oracle.com/javaee/6/api/index.html?javax/annotation/security/package-summary.html.
Table 5-1 Annotations for Securing RESTful Web Services
AnnotationDescription
DeclareRoles
Declares roles.
DenyAll
Specifies that no security roles are allowed to invoke the specified methods.
PermitAll
Specifies that all security roles are allowed to invoke the specified methods.
RolesAllowed
Specifies the list of security roles that are allowed to invoke the methods in the application.
RunAs
Defines the identity of the application during execution in a J2EE container.
Figure 5-0 shows how to define the security roles that are allowed, by default, to access the methods defined in the helloWorld class. The sayHello method is annotated with the @RolesAllows annotation to override the default and only allow users that belong to the ADMIN security role.
Example 5-3 Securing RESTful Web Service Using SecurityContext
package samples.helloworld;
 
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.annotation.Security.RolesAllowed;

 
@Path("/helloworld")
@RolesAllowed({"ADMIN", "ORG1"})
public class helloWorld {

   @GET
   @Path("sayHello")  
   @Produces("text/plain")
   @RolesAllows("ADMIN")
   public String sayHello() {
      return "Hello World!";
   }
}

3 comments:

Anna said...

Great and Useful Article.

Online Java Course

Java Online Training

Java Course Online

Best Recommended books for Spring framework

Java Interview Questions












Java Training Institutes in Chennai

Java Training in Chennai

J2EE Training in Chennai

java j2ee training institutes in chennai

Java Course in Chennai

Zheng junxai5 said...

zhengjx20160721
ralph lauren
jordan 3s
oakley sunglasses
kate spade
pandora jewelry
coach outlet
ralph lauren outlet
cheap jerseys
celine handbags
hermes bags
ladies cartier watches
nike air huarache
louis vuitton handbags
adidas nmd
nike air max
coach outlet
tory burch boots
nfl jerseys
michael kors outlet clearance
cheap oakley sunglasses
coach outlet
nike blazers shoes
michael kors outlet online
coach outlet
cheap air jordans
louis vuitton purses
toms outlet
michael kors purses
louis vuitton
tory burch shoes
marc jacobs outlet
louboutin shoes
adidas uk
montblanc pens
michael kors handbags
toms wedges
christian louboutin sale
louis vuitton outlet
toms wedges
concord 11

raybanoutlet001 said...

cheap air jordan
michael kors handbags
adidas stan smith
michael kors uk
adidas stan smith men
fitflops sale
cheap nfl jerseys
christian louboutin shoes
nike air huarache
discount oakley sunglasses
huarache shoes
cheap basketball shoes
nike zoom
oakley sunglasses
http://www.oakley-sunglass.in.net
tiffany online
jordan shoes on sale
adidas nmd for sale
nike air zoom structure 19
yeezy shoes
air jordans,cheap air jordans,air jordan shoes,air jordan 11,air jordan 13,air jordan 6,air jordan 4