Announcement Announcement Module
Collapse
No announcement yet.
Using spring to secure a Jersey Restful Web Service Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using spring to secure a Jersey Restful Web Service

    Hi,
    Is it a good idea to implement security for a Jersey RESTful web service using spring?
    What are the advantages of spring over implementing security using jersey Digest Authentication, since i only want to guarantee user authentication, and authorization for resource access (to an existing API)?

    Thx

  • #2
    I think it is a great idea. In fact, that is what I am doing at the moment - adding spring-security based authentication and authorization to my existing jersey rest interface. spring-security is very flexible due to its pluggable architecture and rich set of plugins out-of-the-box.You can choose whatever authentication mechanism you want and still keep the same authentication scaffolding provided by spring-security and related modules.

    Comment


    • #3
      Thanks Farrukh for your answer.
      In my case, as the user is also the customer of the service, i don't need a login screen for authentication.
      How do you proceed to achieve authentication and authorization for your jersey rest interface with spring?
      There is an alternative with 2-legged Oauth. Are you using it?

      Comment


      • #4
        I am not familiar with 2-legged Oauth. I did get spring-security to work with jersey. Here is the summary...

        Makes sure to have the following dependency in your pom.xml to use spring-security config tags in your spring applicationContext-security.xml (or whatever you call it):

        Code:
                <dependency>
                    <groupId>org.springframework.security</groupId>
                    <artifactId>spring-security-config</artifactId>
                </dependency>
        Add something like the following in your spring security configuration. Note that someAuthenticationProvider should reference whatever is your authentication provider mechanism. I used org.springframework.security.ldap.authentication.L dapAuthenticationProvider, the simple ldap provider provided by spring.

        Important note: if your jersey servlet is com.sun.jersey.spi.spring.container.servlet.Spring Servlet is accessed by a url-pattern other than / (mine was <url-pattern>/rest/*</url-pattern>) then you must prefix your intercept-url with that ( see /rest prefix below).

        Make sure that you validate you spring config file using a validating parser as it avoid a lot of stupid errors.

        Code:
        <beans xmlns="http://www.springframework.org/schema/beans"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:security="http://www.springframework.org/schema/security"
               xmlns:util="http://www.springframework.org/schema/util"
               xmlns:p="http://www.springframework.org/schema/p"
               xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                                   http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
               http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
        
            .... authenticationProvider configuration is not shown as it varies.....
        
            <security:global-method-security pre-post-annotations="enabled" />
        
            <security:authentication-manager alias="authenticationManager">
                <security:authentication-provider ref="someAuthenticationProvider"/>
            </security:authentication-manager>
        
            <security:http auto-config="true" use-expressions="true">
                <security:intercept-url pattern="/rest/xyz" access="isAuthenticated()" method="GET" />
                <security:intercept-url pattern="/**" access="permitAll"/>
                <security:form-login login-page='/spring_security_login'/>
                <security:logout/>
            </security:http>
        
        </beans>
        Add the following to your web.xml file. Important note: if your jersey servlet is com.sun.jersey.spi.spring.container.servlet.Spring Servlet is accessed by a url-pattern other than / (mine was <url-pattern>/rest/*</url-pattern>) then you still need to specify <url-pattern>/*</url-pattern>
        below. This cost me a lot of wasted time as otherwise the spring_security_login form is not found (404).

        Code:
            <filter>
                <filter-name>springSecurityFilterChain</filter-name>
                <filter-class>
                org.springframework.web.filter.DelegatingFilterProxy
                </filter-class>
            </filter>
        
            <filter-mapping>
                <filter-name>springSecurityFilterChain</filter-name>
                <url-pattern>/*</url-pattern>
        
            </filter-mapping>
        Now when you try to access the url /rest/xyz you should be redirected to the spring provided login form at url:
        /spring_security_login

        If you give correct username/password then your request is authenticated and proceeds.

        HTH.

        Comment


        • #5
          @Farrukh
          Thank you for your answer.

          I have implemented something similar for my app. Once logged in, are the following requests also secured?

          In my case, i don't want to provide a login/password form to access resources. This is why i started using 2-legged Oauth. Consuming apps should only access authoized resources of the provider. But there are no good example of how to use Oauth 2-legged for REStful Web services.

          Any idea?

          Comment


          • #6
            @Jacobdixon: Not sure which tool you are refring to but if it is jersey then jersey (click here) is a library and runtime to implement a restful server as well as a restful client. Jersey itself does not provide any security features though with spring-security you can use all of the security features of spring-security with jersey servers and client.

            @lahniep I am still trying to get my client code working. Click here for that thread.. If you or any one else can answer that other question I would be grateful. Again I do not know 2-legged Oauth (or any OAuth for that matter) so cannot help there. Best of luck.

            Comment


            • #7
              @lahniep There seems to be a jersey-contrib project that is related to OAuth:

              http://download.java.net/maven/2/com.../jersey-oauth/

              and also a jersey-samples project that is related to OAuth:

              http://download.java.net/maven/2/com...lient-twitter/

              I hope this is what you are looking for.
              Last edited by farrukh_najmi; Oct 31st, 2011, 10:57 AM.

              Comment

              Working...
              X