Search
SupportConsoleDevelopersStart a trialContact

Chapter 33. Securing JAX-RS and RESTeasy

download PDF
Because RESTEasy is deployed as a Servlet, you must use standard web.xml constraints to enable authentication and authorization.
Unfortunately, web.xml constraints have limited compatibility with JAX-RS because of the limited URL pattern matching available in web.xml. URL patterns in web.xml support only simple wildcards, so JAX-RS resources like the following: 
/{pathparam1}/foo/bar/{pathparam2}
Cannot be mapped as a web.xml URL pattern such as: 
/*/foo/bar/*
To work around this problem, use the following security annotations on your JAX-RS methods. You must also set up some general security constraint elements in web.xml to enable authentication.
RESTEasy JAX-RS supports the @RolesAllowed, @PermitAll and @DenyAll annotations on JAX-RS methods. By default, RESTEasy does not recognize these annotations. You must configure RESTEasy to enable role-based security by setting a context parameter, like so:

Note

Do not enable this if you are using EJBs. The EJB container will provide this function instead of RESTEasy. 
<web-app>
...
   <context-param>
      <context-name>resteasy.role.based.security</context-name>
      <context-value>true</context-value>
   </context-param>
</web-app>
With this approach, you must declare all roles used within both the RESTEasy JAX-RS WAR file, and in your JAX-RS classes, and establish a security constraint that lets these roles access every URL handled by the JAX-RS runtime, assuming that RESTEasy authorizes correctly.
RESTEasy authorisation checks if a method is annotated with @RolesAllowed and then performs HttpServletRequest.isUserInRole. If one of the the @RolesAllowed passes, the request is allowed. If not, a response is returned with a 401 (Unauthorized) response code.
The following is an example of a modified RESTEasy WAR file. Note that every role declared is allowed access to every URL controlled by the RESTEasy Servlet. 

<web-app>

   <context-param>
      <context-name>resteasy.role.based.security</context-name>
      <context-value>true</context-value>
   </context-param>

   <listener>
      <listener-class>org.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class>
   </listener>

   <servlet>
      <servlet-name>Resteasy</servlet-name>
      <servlet-class>org.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
   </servlet>

   <servlet-mapping>
      <servlet-name>Resteasy</servlet-name>
      <url-pattern>/*</url-pattern>
   </servlet-mapping>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Resteasy</web-resource-name>
         <url-pattern>/security</url-pattern>
      </web-resource-collection>
       <auth-constraint>
         <role-name>admin</role-name>
         <role-name>user</role-name>
      </auth-constraint>
  </security-constraint>

   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Test</realm-name>
   </login-config>

   <security-role>
      <role-name>admin</role-name>
   </security-role>
   <security-role>
      <role-name>user</role-name>
   </security-role>


</web-app>
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.