I am new to jax rs implementation.
I had created RESTFUL application contains the web services using jax rs.
But I want to provide the authentication and authorization to some of the web services.
I am unable to configure the web.xml for the authentication.
Thanks in advance
You can use container-level authentication. For instance, in Apache Tomcat, you can configure HTTP-based authentication (e.g. BASIC, DIGEST, or even FORM-based though the latter does not make sense for APIs).
To configure HTTP BASIC authentication as an example you need to:
define users in a user store and connect Tomcat to it. By default Tomcat provides you with a tomcat-users.xml file which you can use to define users. You could also configure Tomcat to use LDAP as a source
update your web.xml file to add the security-constraint element
update your web.xml to add the login-config element
update your web.xml to add the security-role element
Here's an example snippet:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>basic-user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>basic-user</role-name>
</security-role>
Note that there is a great answer already available here too: Easy way for Authentication and Authorization with JAX-RS Jersey
Related
How can I assign an openAM user to the Activiti processes.
I have an openAM that is running on apache and side by side I have an spring application Activiti Processes.
how can i add a user through openAM to my BPMn process.
1 i have integrated my openAM with activiti process application.
<?xml version="1.0" encoding="UTF-8"?>
<bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL"
xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI"
xmlns:dc="http://www.omg.org/spec/DD/20100524/DC"
xmlns:di="http://www.omg.org/spec/DD/20100524/DI"
xmlns:activiti="http://activiti.org/bpmn"
id="sample-diagram"
targetNamespace="http://bpmn.io/schema/bpmn"
xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL BPMN20.xsd">
<bpmn2:process id="sampleproc-e9b76ff9-6f70-42c9-8dee-f6116c533a6d" name="Sample Process" isExecutable="true">
<bpmn2:documentation />
<bpmn2:startEvent id="StartEvent_1">
<bpmn2:outgoing>SequenceFlow_0qdq7ff</bpmn2:outgoing>
</bpmn2:startEvent>
<bpmn2:userTask id="UserTask_0b6cp1l" name="User Task 1" activiti:assignee="demo">
<bpmn2:incoming>SequenceFlow_0qdq7ff</bpmn2:incoming>
<bpmn2:outgoing>SequenceFlow_1sc9dgy</bpmn2:outgoing>
</bpmn2:userTask>
<bpmn2:sequenceFlow id="SequenceFlow_0qdq7ff" sourceRef="StartEvent_1" targetRef="UserTask_0b6cp1l" />
<bpmn2:serviceTask id="ServiceTask_1wg38me" name="Service Task 1" implementation="serviceTask1Impl">
<bpmn2:incoming>SequenceFlow_1sc9dgy</bpmn2:incoming>
<bpmn2:outgoing>SequenceFlow_0t37jio</bpmn2:outgoing>
</bpmn2:serviceTask>
<bpmn2:sequenceFlow id="SequenceFlow_1sc9dgy" sourceRef="UserTask_0b6cp1l" targetRef="ServiceTask_1wg38me" />
<bpmn2:endEvent id="EndEvent_0irytw8">
<bpmn2:incoming>SequenceFlow_0t37jio</bpmn2:incoming>
</bpmn2:endEvent>
you may have several options, based on your deployment.
If you use 'domain cookies' you could just use a simple servlet filter based on https://backstage.forgerock.com/docs/openam/13.5/apidocs/com/iplanet/sso/SSOTokenManager.html
You could do the same if OpenAM and your web app are accessed via the same FQDN (e.g. using an HTTP reverse-proxy)
If OpenAM and the FQDN used to access the Spring app do not share a cookie domain, you could either use an OpenAM Policy Agent that solves this for you or you could use an internet standards based approach by leveraging SAML or OIDC.
Spring Security has modules for both or you apply a module in an HTTP reverse-proxy server (e.g. Apache http server, mod_auth_mellon for SAML or mod_auth_oidc for OIDC).
I am a computer science student and have used Quarkus for several projects in the past year.
I recently received a new project where I have to create a rest API. Because I have to do a lot in a short time, I use Quarkus to easily do the job with RESTEasy for my web services.
But this API has to authenticate the user by using Apereo with protocols CAS or SAML2.
Moreover I have no experience in using Java security plugins.
I also searched about how to deal with that by using keycloak, Apereo Jboss client, Apero Spring boot client or by having a service along with Quarkus like a Tomcat that will do the authentication job. But I don't know which one would be the best and even which one would actually work.
Do you have any experience around that ?
Or what could I use to make my Quarkus API work with Apereo ?
Thank you very much for your time and help,
Best regards,
Thomas
Sorry for being late to the party, but I actually did a quarkus - apareo cas integration.
Basically I added quarkus-undertow extension to be able to use src/main/resources/META-INF/web.xml.
Also I used org.jasig.cas.client:cas-client-core:3.6.1 to have the cas filters.
And my web.xml contains something like this:
<context-param>
<param-name>serverName</param-name>
<param-value>${cas.redirect.url}</param-value>
</context-param>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>${cas.login.url}</param-value>
</init-param>
<init-param>
<param-name>ignorePattern</param-name>
<param-value>/proxy/</param-value>
</init-param>
<init-param>
<param-name>ignoreUrlPatternType</param-name>
<param-value>CONTAINS</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>${cas.base.url}</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Saml integration is similar, just use the SAML filters.
For more information on configuration options, please see java-cas-client
Off topic, why do you need to authenticate a API via CAS? It redirects you to that CAS login window, then it redirects you back. you cant use this API via postman or curl. Also an API doesn't store any session about the user, so this redirect dance happens every time. This is not how API's are secured. Web pages or web applications yes, but not API's.
In my lab I was asked to create a simple website using JSF framework and use REST as well. I did some research on those two. It turns out that for REST I have to use JAX-RS framework with Jersey. I was wondering how can I integrate these two frameworks, JAX-RS and JSF?
I've already the below servlet in web.xml for JSF:
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/test/*</url-pattern>
</servlet-mapping>
For Jersey I figured that I have to use the below servlet in web.xml:
<servlet>
<servlet-name>Jersey REST Service</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>com.jbm.rest</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>Jersey REST Service</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
Now my concern is, to me it seems like this Jersey servlet will replace the Faces servlet in web.xml. This will change my application from JSF to JAX-RS. But I want to keep JSF and use JAX-RS as well. How can I do that?
This concern is unnecessary. You can safely have multiple servlets in a single web application, as long as their URL patterns do not clash with each other. Usually, if that were the case, a bit sane servlet container would already throw an exception during webapp's startup. In your case, you've registered the JSF servlet on /test/* (which is a strange, by the way, you usually use *.xhtml for that), and you've registered the JAX-RS servlet on /api/*. So you just have to call them using URLs matching those URL patterns.
And, to clear out a conceptual misunderstanding, you don't and can't "implement REST in JSF" at all. They are completely independent from each other. They can just easily run next each other in the same web application in all peace without knowing about each other. The only thing which they might share is the service layer or 'shared' (CDI) managed beans. But that's usually it. The design of the service layer is in turn independent from who's using it.
This specific problem is not related to JSF nor JAX-RS. It's just basic servlets. It might be as well worth the effort to take a step back to the basics and spend a bit time to learn more about the building stone of basically every Java EE web application.
You cannot directly have both in the same java class or layer.
I implemented it like below
|---> JSF Managed Beans(Inject logic here)
Database --> Daos --> Logic --|
|---> JAX-RS (Inject logic here)
Posting this for anyone trying to do this in XPages, there is a REST Control you can drop onto the page from the component library.
Like binding a ActionListener, you bind a java class to the component and set a url pattern.
See this note:
https://oliverbusse.notesx.net/hp.nsf/blogpost.xsp?documentId=2C4E
and sample app https://github.com/zeromancer1972/simplerest/blob/master/ODP/XPages/index.xsp
Inside a web application, I have 2 web services and 2 servlets. Some of these components are internal so we don't want to limit them but one client facing web services needs to be limited because it can crashes the server if too many clients call it. I have been trying to do it in the web.xml as you can see in the code below with no success unfortunately. The JSP servlet in dispatch properly to the right work manager but the sample web services is going to the default work manager.
<servlet>
<servlet-name>Normaljsp</servlet-name>
<jsp-file>normal.jsp</jsp-file>
<init-param>
<param-name>wl-dispatch-policy</param-name>
<param-value>WorkManager-Global</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>Sample</servlet-name>
<servlet-class>com.mk.sample.WebServiceSample</servlet-class>
<init-param>
<param-name>wl-dispatch-policy</param-name>
<param-value>WorkManager-Endpoints</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>Sample</servlet-name>
<url-pattern>sample</url-pattern>
</servlet-mapping>
How can I isolate this last sample web service with its own work manager ?
Thanks,
I have an application which exposes a RESTful API using RESTEasy. The user needs to authenticate using HTTP-Basic before any method can be invoked.
However, I want to add a method to the RESTful API which any user can invoke without authenticating. How do I do that? Is there some JAX-RS/RESTEasy annotation that I can add to the method declaration to indicate that authentication is optional for that method.
Thanks.
In your web.xml exclude REST paths, that does not need authentication
<security-constraint>
<web-resource-collection>
<web-resource-name>All Access</web-resource-name>
<url-pattern>/unchecked/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Then your REST resource that does not need authentication should be something like
#Path("/unchecked")
public class NoAuthResource{
}