This post adds security to my previous RESTful services example code. The changes are quite simple and I will only highlight them here. As usual the full Maven project and a Java client test class is available for you to explore.
The idea here is to add HTTP basic authentication to the restful services and also lock down who can access which methods (authz). First here is the change to the web.xml. We add the Spring Security filter here.
|
1 2 3 4 5 6 7 8 9 |
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/services/*</url-pattern> </filter-mapping> |
Next here is the Spring application context file. Here the change is to enable Spring Security, define some dummy userids, enable http basic authentication and finally describe the URL patterns to which to apply security.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:context="http://www.springframework.org/schema/context" xmlns:jee="http://www.springframework.org/schema/jee" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> <context:component-scan base-package="com.aver.restful" /> <sec:authentication-manager> <sec:authentication-provider> <sec:user-service id="userService"> <sec:user name="admin" password="password" authorities="admin" /> <sec:user name="johndoe" password="password" authorities="customer, admin" /> </sec:user-service> </sec:authentication-provider> </sec:authentication-manager> <sec:http create-session="stateless" use-expressions="true"> <sec:intercept-url pattern="/services/timeoftheday/asplaintext/**" access="permitAll" /> <sec:intercept-url pattern="/services/timeoftheday/asxml/**" access="hasRole('admin')" /> <sec:intercept-url pattern="/services/timeoftheday/asjson/**" access="hasAnyRole('admin','customer')" /> <sec:http-basic /> </sec:http> </beans> |
Run mvn package jetty:run and you can access one of the URLs below. Ensure to provide the right password for json and xml URI’s.
|
1 2 3 |
http://localhost:9090/jaxrs/services/timeoftheday/asplaintext/mathew http://localhost:9090/jaxrs/services/timeoftheday/asjson/mathew http://localhost:9090/jaxrs/services/timeoftheday/asxml/mathew |
Your browser will request a userid/password where required – as per the above intercept-url’s. The Java client has a slight modification to allow the client to pass in the login credentials.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
import com.sun.jersey.api.client.Client; import com.sun.jersey.api.client.WebResource; import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter; public class RestTest { public static void main(String[] args) { Client c = Client.create(); // plain text WebResource r = c .resource("http://localhost:9090/jaxrs/services/timeoftheday/asplaintext/mathew"); System.out.println("Plain Text=>> " + r.get(String.class)); // json r = c.resource("http://localhost:9090/jaxrs/services/timeoftheday/asjson/mathew"); c.addFilter(new HTTPBasicAuthFilter("johndoe", "password")); System.out.println("JSON=>> " + r.get(String.class)); // xml r = c.resource("http://localhost:9090/jaxrs/services/timeoftheday/asxml/mathew"); c.addFilter(new HTTPBasicAuthFilter("admin", "password")); System.out.println("XML=>> " + r.get(String.class)); } } |
Click here to download the full maven project OR download the project from GitHub – https://github.com/thomasma/jaxrs-jersey-springsec.