Using javax.announcement.security.RolesAllowed Annotations

Asked 1 years ago, Updated 1 years ago, 93 views

Prerequisites/What you want to achieve


in JAX-RS in a JavaEE6 compliant environment javax.announcement.security.RolesAllowedAnnotation
I want to achieve the authorization function, but I don't know how to do it.

I wish I could use @RolesAllowed with the following image.

For example, in books and on the web, there are codes such as:

@Path("/")
@ PermitAll
public class Resource {
    @ RolesAllowed ("user")
    @ GET
    public String get() {return "GET";}
}


Describe this @RolesAllowed("user") setting in the Web.xml It says something like this, but I don't really know how to use it.

Apply by parameters passed on access and HTTP headers I think the role will change, but I don't know why it's written on Web.xml.
I don't understand.

java rest java-ee jax-rs servlet

2022-09-30 19:22

1 Answers

Why write on web.xml

As for the 1 and 2 mentioned in the above usage preferences, this is a function provided by the container side.
The container cannot understand what to do unless the settings are written on the web.xml, so
It must be written in web.xml.

Now, what should I write on web.xml?
Write which roles are allowed for access to a particular URL.
For example: 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Web Resource</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Administrator</role-name>
        <role-name>User</role-name>
    </auth-constraint>
</security-constraint>

In this example, the URL of all GET requests is allowed only for the Administrator, User role.Thus, the application of the role is not switched by parameters, etc.
It is sorted by URL and HTTP method.

Also, this setting alone does not take the action of retrieving roles from DB without permission, so
The container side needs to be configured.
If you explain it here, it will be longer, so please search GlassFish JdbcRealm or WildFly JdbcRealm.You will find a site that explains how to configure each container.

@Configure RolesAllowed to recognize

@RolesAllowed is recognized, but this depends on the implementation of JAX-RS.
Jersey, one of the implementations of JAX-RS, requires the following configuration:

<servlet>
    <servlet-name>ServletContainer</servlet-name>
    <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
    <!--Required for @RolesAllowed -->
    <init-param>
      <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
      <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
    </init-param>
  </servlet>

Another implementation, RESTEasy, requires the following settings for web.xml:

<context-param>
    <param-name>resteasy.role.based.security</param-name>
    <param-value>true</param-value>
</context-param>

This is how JavaEE security can be achieved only by configuration without implementing it yourself.

2022-09-30 19:22

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

518 Unable to install versioned in Google Colab

522 Who developed the "avformat-59.dll" that comes with FFmpeg?

519 Scrap text information after the "View More" button when searching in the Yahoo! News search window

503 Understanding How to Configure Google API Key

494 No exact matches in call to instance method 'append'

© 2024 OneMinuteCode. All rights reserved.