Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

18.5. JAX-RS Application Security

18.5.1. Enable Role-Based Security for a RESTEasy JAX-RS Web Service
Copia collegamento

Summary

RESTEasy supports the @RolesAllowed, @PermitAll, and @DenyAll annotations on JAX-RS methods. However, it does not recognize these annotations by default. Follow these steps to configure the web.xml file and enable role-based security.

Warning

Changing the default values of the following RESTEasy parameters may cause RESTEasy applications to be potentially vulnerable against XXE attacks.
  • resteasy.document.expand.entity.references
  • resteasy.document.secure.processing.feature
  • resteasy.document.secure.disableDTDs
For more information about these parameters, see Section 15.5.1, “RESTEasy Configuration Parameters”.

Warning

Do not activate role-based security if the application uses EJBs. The EJB container will provide the functionality, instead of RESTEasy.

Procedure 18.5. Enable Role-Based Security for a RESTEasy JAX-RS Web Service

  1. Open the web.xml file for the application in a text editor.
  2. Add the following <context-param> to the file, within the web-app tags: 
    <context-param>
    <param-name>resteasy.role.based.security</param-name>
    <param-value>true</param-value>
</context-param>
  3. Declare all roles used within the RESTEasy JAX-RS WAR file, using the <security-role> tags: 
    <security-role>
    <role-name>ROLE_NAME</role-name>
</security-role>
<security-role>
    <role-name>ROLE_NAME</role-name>
</security-role>
  4. Authorize access to all URLs handled by the JAX-RS runtime for all roles: 
    <security-constraint>
    <web-resource-collection>
	<web-resource-name>Resteasy</web-resource-name>
	<url-pattern>/PATH</url-pattern>
    </web-resource-collection>
    <auth-constraint>
	<role-name>ROLE_NAME</role-name>
	<role-name>ROLE_NAME</role-name>
    </auth-constraint>
</security-constraint>
Result

Role-based security has been enabled within the application, with a set of defined roles.

Example 18.39. Example Role-Based Security Configuration

<web-app>

    <context-param>
	<param-name>resteasy.role.based.security</param-name>
	<param-value>true</param-value>
    </context-param>

    <servlet-mapping>
	<servlet-name>Resteasy</servlet-name>
	<url-pattern>/*</url-pattern>
    </servlet-mapping>

    <security-constraint>
	<web-resource-collection>
	    <web-resource-name>Resteasy</web-resource-name>
	    <url-pattern>/security</url-pattern>
	</web-resource-collection>
	<auth-constraint>
	    <role-name>admin</role-name>
	    <role-name>user</role-name>
	</auth-constraint>
    </security-constraint>

    <security-role>
	<role-name>admin</role-name>
    </security-role>
    <security-role>
	<role-name>user</role-name>
    </security-role>
    
</web-app>
Report a bug

18.5.2. Secure a JAX-RS Web Service using Annotations
Copia collegamento

Summary

This topic covers the steps to secure a JAX-RS web service using the supported security annotations

Procedure 18.6. Secure a JAX-RS Web Service using Supported Security Annotations

  1. Enable role-based security. For more information, refer to: Section 18.5.1, “Enable Role-Based Security for a RESTEasy JAX-RS Web Service”
  2. Add security annotations to the JAX-RS web service. RESTEasy supports the following annotations:
    @RolesAllowed
    Defines which roles can access the method. All roles should be defined in the web.xml file.
    @PermitAll
    Allows all roles defined in the web.xml file to access the method.
    @DenyAll
    Denies all access to the method.
Report a bug
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima