The IBM® runtime environment
for Java API for RESTful Web
Services (JAX-RS) is driven by a servlet derived from the Apache Wink
project. Within the WebSphere® Application
Server environment, the lifecycle of servlets is managed in the web
container. Therefore, the security services offered by the web container
are applicable to REST resources that are deployed in WebSphere Application Server.
About this task
You can define and add security constraints on the REST
resources using the same tooling that is used to assemble REST applications.
These constraints are captured in the J2EE web deployment descriptor
that is associated with your application. The following list describes
security definitions that you can include in the deployment descriptor:
- User authentication when invoking REST resources embodied in the
application, including
- HTTP basic authentication
- Form login authentication
- Authorization control over REST resources as defined by the URL
patterns for the resources
- Use of SSL for transport when invoking REST resources
- Programmatic use of the SecurityContext object to determine user
identity and roles
All the security mechanisms supported by the web container are
applicable to REST resources, including the use of the Kerberos-based
SPNEGO authentication mechanism.