How can I use #RolesAllowed in Java EE 6.0 - jax-rs

I'm using jax-rs 1.1 (as this JavaEE 6.0) and want a standard way to manage permission for my resources. I've tried this:
#Path("/public/login/")
#Stateless
#RolesAllowed("ADMIN")
public class LoginResource implements Serializable {
#POST
#Consumes("application/json")
#Produces("application/json")
public Response login(Usuario usuario) {
....
}
}
But it appears to have no effect. What am I missing?

Your application may be missing security constraints in web.xml and in that case it is ignoring any security annotations.
Try to add the following to your web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admins</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>admins</role-name>
</security-role>

Related

How can I get rid of keycloak's default login page and use my own login page

I am using wildfly 10.1.0.Final and keycloak 3.1.0.Final.
I want to use my own login page, I have created a login page with a submit button to get the token:
$('#submit').click(function(e) {
var creds = "client_id=sensorcloud-2.2.1-SNAPSHOT&grant_type=password&client_secret=b6b4f0ec-9936-46a2-9f40-69c207e2e0f2&username=" + $('#username')[0].value +"&password=" + $('#password')[0].value;
$.ajax({
url: 'https://localhost:8445/auth/realms/sensorcloud-auth/protocol/openid-connect/token',
data: creds,
headers: {'Content-Type':'application/x-www-form-urlencoded'},
type: 'POST',
success: function(data){
localStorage.setItem('currentUser', JSON.stringify(data));
window.location.replace("https://localhost:8443/sensorcloud-2.2.1-SNAPSHOT/dashboard.html");
},
error: function() {
alert("Invalid username or password");
}
});
});
And it works.
Only with this code, dashboard.html doesn't have any security constraint at all,so I set up the web.xml as recommended:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>SensorCloud</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>sensorcloud-auth</realm-name>
</login-config>
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<security-constraint>
<web-resource-collection>
<web-resource-name>sensorcloud-2.2.1-SNAPSHOT</web-resource-name>
<url-pattern>/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>sensorcloud-2.2.1-SNAPSHOT</web-resource-name>
<url-pattern>/index.html</url-pattern>
<url-pattern>/help.html</url-pattern>
<url-pattern>/register.html</url-pattern>
<url-pattern>/login.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>sensorcloud-2.2.1-SNAPSHOT</web-resource-name>
<url-pattern>/dashboard.html</url-pattern>
<url-pattern>/management.html</url-pattern>
<url-pattern>/password.html</url-pattern>
<url-pattern>/user.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>sensorcloud-2.2.1-SNAPSHOT</web-resource-name>
<url-pattern>/admin.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
Some public pages can be accessed by anyone like index.html, login.html. And some pages should be accessed only by user and admin, like dashboard.html, and admin.html should only be accessed by admin user.
And in my keycloak realm client setting, for client sensorclout-2.2.1-SNAPSHOT, I have redirect url as
https://localhost:8443/sensorcloud-2.2.1-SNAPSHOT/*
But every time when I try to go to dashboard.html, I will be redirect the keycloak default login page. I want to be redirect to my customized login page.
How can I achieve this?
Thanks
when you set Access Type of your client to "public", then keycloak will always redirect a user to its login page. You can set Access Type to "bearer-only" - in this case keycloak would NOT redirect, but you need to be authenticated to access secured ressources.
If you configure keycloak like this, then, when accessing secured pages, you will need to implement some process, which checks, if user is already authenticated, and if not, redirect it to your login page.

Secured REST call on Websphere

I am trying to create a secured REST service on WebSphere 8.5.0.2. I want to secure using basic authentication. I modified my web.xml and tryed to read auto injected SecurityContext. I get an auto injected object but various operations are failing for e.g. securityContext.getAuthenticationScheme();
I have also mapped my role to all authentiacted realm's users.
I could not find anything in Wink's documentation too. Am i doing anything wrong ?
My web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>RESTModulation</display-name>
<!-- Wink SDK servlet configuration.
This servlet handles HTTP requests
of SDK web service on application server.-->
<servlet>
<description>
JAX-RS Tools Generated - Do not modify</description>
<servlet-name>EntryRestServlet</servlet-name>
<servlet-class>com.ibm.websphere.jaxrs.server.IBMRestServlet</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>com.demo.DemoResourceApplication</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>EntryRestServlet</servlet-name>
<url-pattern>
/resources/*</url-pattern>
</servlet-mapping>
<security-constraint id="SecurityConstraint_1">
<web-resource-collection id="WebResourceCollection_1">
<web-resource-name>EntryRestServlet</web-resource-name>
<description>Protection area for Rest Servlet</description>
<url-pattern>/resources/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>Role1 for this rest servlet</description>
<role-name>Role1</role-name>
</auth-constraint>
</security-constraint>
<security-role id="SecurityRole_1">
<description>This is Role1</description>
<role-name>Role1</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>defaultWIMFileBasedRealm</realm-name>
</login-config>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
</web-app>
==========================================================================
Service implementation
#Path("/MyTestService")
public class MyTestService{
#Context
SecurityContext securityContext;
#GET
#Path("/getUser1")
#Produces(MediaType.TEXT_PLAIN)
public Response doInquiry()throws Exception {
String jsonData= "{'user':'I am here '}";
String authnScheme = securityContext.getAuthenticationScheme();
System.out.println("authnScheme : " + authnScheme);
// retrieve the name of the Principal that invoked the resource
String username = securityContext.getUserPrincipal().getName();
System.out.println("username : " + username);
// check if the current user is in Role1
Boolean isUserInRole = securityContext.isUserInRole("Role1");
System.out.println("isUserInRole : " + isUserInRole);
return Response.status(Response.Status.OK).entity(jsonData).build();
}
}
I did not pass correct password from REST client. After providing correct credentials, it has started working.

How to get id of authenticated user in Olingo ODataServiceFactory

I am trying to read the user id of the user that is calling my OData service.
In my web.xml the OData servlet is a protected area
<servlet>
<servlet-name>EJODataServlet</servlet-name>
<servlet-class>org.apache.cxf.jaxrs.servlet.CXFNonSpringJaxrsServlet</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>org.apache.olingo.odata2.core.rest.app.ODataApplication</param-value>
</init-param>
<init-param>
<param-name>org.apache.olingo.odata2.service.factory</param-name>
<param-value>com.wombling.odata.service.EJServiceFactory</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>EJODataServlet</servlet-name>
<url-pattern>/EJOData.svc/*</url-pattern>
</servlet-mapping>
<login-config>
<auth-method>FORM</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/a/*</url-pattern>
<url-pattern>/index.html</url-pattern>
<url-pattern>*.html</url-pattern>
<url-pattern>/EJOData.svc/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>extension_user</role-name>
</auth-constraint>
</security-constraint>
When I create the factory to serve the response to a query:
public class EJServiceFactory extends ODataServiceFactory {
#Override
public ODataService createService(ODataContext ctx) throws ODataException {
return RuntimeDelegate
.createODataSingleProcessorService(
new AnnotationEdmProvider(
"com.wombling.odata.models"),
new EJODataProcessor("admin")); //TODO this should not be hardcoded
}
}
I cannot see any way that I can get from the ODataContext the user that has passed authentication. If I were to be using basic auth - then I could just get the header, but I'm not using basic auth, but OAuth2 bearer tokens (created by a SAML assertion).
I'd expect the ODataContext provide me access to the request user id, but no luck. Is there some other means that I can use? Or do I need to force the calling application to insert the user id in the request headers (doesn't seem ideal to me!)
To retrieve the request object via the ODataContext object is a little bit tricky. Try this:
HttpServletRequest r = (HttpServletRequest) ctx.getParameter(ODataContext.HTTP_SERVLET_REQUEST_OBJECT);
ctx is your instance of the ODataContext class. From the request object you get all what you need.

Glassfish basic authentication in REST services

I am trying to make basic authentication in Web Project using Glassfish jdbcRealm.
This is my web.xml authentication part:
<security-constraint>
<display-name>LoginTestContraint</display-name>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<description/>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>UsersRead</role-name>
<role-name>UsersWrite</role-name>
<role-name>UsersDelete</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>UsersConstraints</display-name>
<web-resource-collection>
<web-resource-name>FindAll</web-resource-name>
<description/>
<url-pattern>/resources/com.taxi.model.users/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>UsersRead</role-name>
<role-name>UsersWrite</role-name>
<role-name>UsersDelete</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>AccessConstraints</display-name>
<web-resource-collection>
<web-resource-name>/resources/com.taxi.model.access</web-resource-name>
<description/>
<url-pattern>/resources/com.taxi.model.access/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>AccessRead</role-name>
<role-name>AccessWrite</role-name>
<role-name>AccessDelete</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>taxiJDBCRealm</realm-name>
</login-config>
<security-role>
<description/>
<role-name>AccessRead</role-name>
</security-role>
<security-role>
<description/>
<role-name>AccessWrite</role-name>
</security-role>
<security-role>
<description/>
<role-name>AccessDelete</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersRead</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersWrite</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersDelete</role-name>
</security-role>
And this is what i have in glassfish-web.xml:
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>AccessDelete</role-name>
<group-name>AccessDelete</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>AccessRead</role-name>
<group-name>AccessRead</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>AccessWrite</role-name>
<group-name>AccessWrite</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersDelete</role-name>
<group-name>UsersDelete</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersRead</role-name>
<group-name>UsersRead</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersWrite</role-name>
<group-name>UsersWrite</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
I want to authenticate REST service users, so I do following:
#Stateless
#Path("com.taxi.model.users")
public class UsersFacadeREST extends AbstractFacade<Users> {
// ...
#GET
#Override
#Produces({"application/xml", "application/json"})
#RolesAllowed("UsersRead")
public List<Users> findAll() {
return super.findAll();
}
// ...
}
#Stateless
#Path("com.taxi.model.access")
public class AccessFacadeREST extends AbstractFacade<Access> {
// ...
#GET
#Override
#Produces({"application/xml", "application/json"})
#RolesAllowed("AccessRead")
public List<Access> findAll() {
return super.findAll();
}
// ...
}
When I try to open http://localhost:8080/taxi/resources/com.taxi.model.access it returns me XML with accesses.
So, then I try to open http://localhost:8080/taxi/resources/com.taxi.model.users in browser it is all works, but access is denied. In postgresql log file I see:
2011-08-15 13:32:14 SAMST LOG: execute <unnamed>: SELECT glpasswd FROM vw_glusertable WHERE gluser = $1
2011-08-15 13:32:14 SAMST DETAIL: parameters: $1 = 'nickla'
2011-08-15 13:32:14 SAMST LOG: execute <unnamed>: SELECT glgroup FROM vw_glgrouptable WHERE gluser = $1
2011-08-15 13:32:14 SAMST DETAIL: parameters: $1 = 'nickla'
Glassfish error log:
FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = taxi/taxi
FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /resources/com.taxi.model.users GET)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : null
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
FINE: Logging in user [nickla] into realm: taxiJDBCRealm using JAAS module: jdbcRealm
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
FINEST: JDBC login succeeded for: nickla groups:[UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete]
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : nickla
FINE: Set security context as user: nickla
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : nickla, UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
Why is Glassfish told me that my user with role UsersRead has no grants for com.taxi.model.users?
P.S.:
Answer is simple - do not use UsersRead UsersWrite UsersDelete words as role names. I do not know why, but when I changed it to UsersRead11 all things go right.

How to implement redirect to login-page with Java EE 6/Glassfish

I'm trying to implement a redirect after login, which means I can't use glassfish built-in form authentication settings anymore that handles such things automatically. So first thing's first, I need to take control over redirecting to a login page when requesting a protected page. As I understand, this is done with a filter. Can this method be combined with security-constraints in web-xml? As it is, my filter is not called at all since glassfish just takes over and throws a basic loginbox at the user and ignores all filters even when no login configuration is set. Basicly, I have not managed to get a filter called before a user has logged in when security constraints are configured in glassfish.
Do I really need to take over security completly manually in a filter for this to work? If that's the case, the implementation seems horrible.
Using glassfish 3.1 with JSF 2 and a custom loginpage logging in manually with request.login.
web.xml.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value><!--Production-->Development</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.expressionFactory</param-name>
<param-value>de.odysseus.el.ExpressionFactoryImpl</param-value>
</context-param>
<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<filter>
<filter-name>LoginFilter</filter-name>
<filter-class>com.xdin.competence.jsf.util.LoginFilter</filter-class>
</filter>
<session-config>
<session-timeout>60</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsf</welcome-file>
</welcome-file-list>
<!--<error-page>
<exception-type>javax.faces.application.ViewExpiredException</exception-type>
<location>/viewExpired.jsf</location>
</error-page>-->
<security-constraint>
<display-name>ManagerArea</display-name>
<web-resource-collection>
<web-resource-name>ManagerArea</web-resource-name>
<description/>
<url-pattern>/manager/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Manager-role</role-name>
<role-name>Admin-role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>EmployeeArea</display-name>
<web-resource-collection>
<web-resource-name>EmployeeConstraint</web-resource-name>
<description/>
<url-pattern>/user/Overview.jsf</url-pattern>
<url-pattern>/user/PrepareReport.jsf</url-pattern>
<url-pattern>/user/Search.jsf</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Employee-role</role-name>
<role-name>Admin-role</role-name>
<role-name>Manager-role</role-name>
<role-name>OKIF-role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>AdminArea</display-name>
<web-resource-collection>
<web-resource-name>AdminCompetence</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Admin-role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>UserArea</display-name>
<web-resource-collection>
<web-resource-name>UserConstraint</web-resource-name>
<description/>
<url-pattern>/index.jsf</url-pattern>
<url-pattern>/template.jsf</url-pattern>
<url-pattern>/user/UserDetail.jsf</url-pattern>
<url-pattern>/user/UserInformation.jsf</url-pattern>
<url-pattern>/print/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Employee-role</role-name>
<role-name>Admin-role</role-name>
<role-name>Manager-role</role-name>
<role-name>OKIF-role</role-name>
</auth-constraint>
</security-constraint>
<!--<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsf</form-login-page>
<form-error-page>/login.jsf</form-error-page>
</form-login-config>
</login-config>-->
<security-role>
<description/>
<role-name>Employee-role</role-name>
</security-role>
<security-role>
<description/>
<role-name>Admin-role</role-name>
</security-role>
<security-role>
<description/>
<role-name>Manager-role</role-name>
</security-role>
<security-role>
<description/>
<role-name>OKIF-role</role-name>
</security-role>
</web-app>
And my filter:
public class LoginFilter implements Filter {
private FilterConfig filterConfig = null;
public LoginFilter() {
}
#Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
if (req.getUserPrincipal() == null) {
req.getSession().setAttribute("from", req.getRequestURI());
res.sendRedirect("/login.jsf");
} else {
chain.doFilter(request, response);
}
}
#Override
public void destroy() {
}
#Override
public void init(FilterConfig filterConfig) {
this.filterConfig = filterConfig;
}
}
In your customized login form, add the following hidden field:
<input type="hidden" name="from" value="#{requestScope['javax.servlet.forward.request_uri']}" />
which you set in JSF as follows
#ManagedProperty(value="#{param.from}")
private String from;
and redirect as follows in login action method
if (from != null) {
externalContext.redirect(from);
}
No need for a Filter.