Announcement Announcement Module
No announcement yet.
Using spring to secure a Jersey Restful Web Service Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using spring to secure a Jersey Restful Web Service

    Is it a good idea to implement security for a Jersey RESTful web service using spring?
    What are the advantages of spring over implementing security using jersey Digest Authentication, since i only want to guarantee user authentication, and authorization for resource access (to an existing API)?


  • #2
    I think it is a great idea. In fact, that is what I am doing at the moment - adding spring-security based authentication and authorization to my existing jersey rest interface. spring-security is very flexible due to its pluggable architecture and rich set of plugins out-of-the-box.You can choose whatever authentication mechanism you want and still keep the same authentication scaffolding provided by spring-security and related modules.


    • #3
      Thanks Farrukh for your answer.
      In my case, as the user is also the customer of the service, i don't need a login screen for authentication.
      How do you proceed to achieve authentication and authorization for your jersey rest interface with spring?
      There is an alternative with 2-legged Oauth. Are you using it?


      • #4
        I am not familiar with 2-legged Oauth. I did get spring-security to work with jersey. Here is the summary...

        Makes sure to have the following dependency in your pom.xml to use spring-security config tags in your spring applicationContext-security.xml (or whatever you call it):

        Add something like the following in your spring security configuration. Note that someAuthenticationProvider should reference whatever is your authentication provider mechanism. I used dapAuthenticationProvider, the simple ldap provider provided by spring.

        Important note: if your jersey servlet is com.sun.jersey.spi.spring.container.servlet.Spring Servlet is accessed by a url-pattern other than / (mine was <url-pattern>/rest/*</url-pattern>) then you must prefix your intercept-url with that ( see /rest prefix below).

        Make sure that you validate you spring config file using a validating parser as it avoid a lot of stupid errors.

        <beans xmlns=""
            .... authenticationProvider configuration is not shown as it varies.....
            <security:global-method-security pre-post-annotations="enabled" />
            <security:authentication-manager alias="authenticationManager">
                <security:authentication-provider ref="someAuthenticationProvider"/>
            <security:http auto-config="true" use-expressions="true">
                <security:intercept-url pattern="/rest/xyz" access="isAuthenticated()" method="GET" />
                <security:intercept-url pattern="/**" access="permitAll"/>
                <security:form-login login-page='/spring_security_login'/>
        Add the following to your web.xml file. Important note: if your jersey servlet is com.sun.jersey.spi.spring.container.servlet.Spring Servlet is accessed by a url-pattern other than / (mine was <url-pattern>/rest/*</url-pattern>) then you still need to specify <url-pattern>/*</url-pattern>
        below. This cost me a lot of wasted time as otherwise the spring_security_login form is not found (404).

        Now when you try to access the url /rest/xyz you should be redirected to the spring provided login form at url:

        If you give correct username/password then your request is authenticated and proceeds.



        • #5
          Thank you for your answer.

          I have implemented something similar for my app. Once logged in, are the following requests also secured?

          In my case, i don't want to provide a login/password form to access resources. This is why i started using 2-legged Oauth. Consuming apps should only access authoized resources of the provider. But there are no good example of how to use Oauth 2-legged for REStful Web services.

          Any idea?


          • #6
            @Jacobdixon: Not sure which tool you are refring to but if it is jersey then jersey (click here) is a library and runtime to implement a restful server as well as a restful client. Jersey itself does not provide any security features though with spring-security you can use all of the security features of spring-security with jersey servers and client.

            @lahniep I am still trying to get my client code working. Click here for that thread.. If you or any one else can answer that other question I would be grateful. Again I do not know 2-legged Oauth (or any OAuth for that matter) so cannot help there. Best of luck.


            • #7
              @lahniep There seems to be a jersey-contrib project that is related to OAuth:


              and also a jersey-samples project that is related to OAuth:


              I hope this is what you are looking for.
              Last edited by farrukh_najmi; Oct 31st, 2011, 09:57 AM.