The IBM® runtime environment
for Java™ API for RESTful Web
Services (JAX-RS) is driven by a servlet derived from the Apache Wink
project. Within the WebSphere® Application
Server environment, the lifecycle of servlets is managed in the web
container. Therefore, the security services offered by the web container
are applicable to REST resources that are deployed in WebSphere Application Server.
About this task
You can define and add security constraints on the REST
resources using the same tooling that is used to assemble REST applications.
These constraints are captured in the J2EE web deployment descriptor
that is associated with your application. The following list describes
security definitions that you can include in the deployment descriptor:
- User authentication when invoking REST resources embodied in the
application, including
- HTTP basic authentication
- Form login authentication
- Authorization control over REST resources as defined by the URL
patterns for the resources
- Use of SSL for transport when invoking REST resources
- Programmatic use of the SecurityContext object to determine user
identity and roles
All the security mechanisms supported by the web container are
applicable to REST resources, including the use of the Kerberos-based
SPNEGO authentication mechanism.
Procedure
- Configure the development environment.
- Before you start developing JAX-RS applications, you
must set up your development environment by adding the JAX-RS libraries
on the classpath.
- Define the resources in JAX-RS web applications.
- Resources are the basic building block of a RESTful
service. Resources can contain static or dynamically updated data.
Examples of resources from an online book store application include
a book, an order from a store, and a collection of users. By identifying
the resources in your application, you can make the service more useful
and easier to develop.
- Configure the JAX-RS application.
You can
configure JAX-RS applications in multiple ways depending on your needs.
To take advantage of the Java Platform,
Enterprise Edition (Java EE)
6 functionality, you can use the annotation scanning capabilities.
By using annotation scanning, you can omit a JAX-RS javax.ws.rs.core.Application
subclass or have a minimally defined javax.ws.rs.core.Application
subclass. Alternatively, you can specify the IBM JAX-RS servlet or filter if you want to use
the functionality available in the IBM JAX-RS
servlet and filter.
Using one of the JAX-RS Version 1.1 configuration
methods, you can omit a javax.ws.rs.core.Application subclass in your
application or have a javax.ws.rs.core.Application subclass that returns
an empty set of classes to inform the JAX-RS runtime environment to
find and use all the JAX-RS classes in the application. You might
want to use this method when you do not want to have to manually add
every relevant JAX-RS class to a javax.ws.rs.core.Application subclass
as you develop the application.
By specifying the specific IBM JAX-RS servlet and filter, you
can take advantage of and ensure specific IBM JAX-RS behavior. For example, using the IBM JAX-RS filter can be helpful
in developing a web application with a mix of JAX-RS resources and
JavaServer Pages (JSP) files with the same URL patterns.
Even
though there is a JAX-RS V1.1 configuration method that supports the
use of an optional web.xml file, if you want
to specify security constraints or roles, or you want to take advantage
of other features enabled using a web.xml file,
you must specify the information in a web.xml file.
Choose
one of the following three methods to configure your JAX-RS application:
- Configure
JAX-RS applications using JAX-RS 1.1 methods
Use this method
if you want to use the annotation scanning capabilities or to use
the JAX-RS 1.1 configuration methods. You can use the annotation
scanning capabilities to promote application portability, to minimize
the amount of configuration code, or to dynamically modify the application
without changes to the application code.
- Configure
the web.xml file for JAX-RS servlets
Use this method if you
want to specify features that are enabled using servlet initialization
parameters to change the behavior and ensure that you get the IBM JAX-RS servlet. When using
servlets, you can define a servlet path in the web.xml file
that is appended to the base URL.
- Configure
the web.xml file for JAX-RS filters
Use this method if you
want to use the filter when you have JSPs, other servlets and filters,
and JAX-RS resources with a mix of URL patterns. You can configure
the web.xml file to define filters that indicate
the possible URLs on which the filter can be invoked.
- Secure JAX-RS applications within the web container.
- Using the security services available to the web container,
you can secure REST resources by configuring security mechanisms that
define user authentication, transport security, authorization control,
and user to role mappings.
- Secure JAX-RS resources using annotations.
- You can secure JAX-RS resources by using annotations
that specify security settings. You can use @PermitAll, @DenyAll and
@RolesAllowed annotations to override the configuration of security
constraints defined in the web.xml file.
- (optional) Secure downstream JAX-RS resources.
- You can secure downstream JAX-RS resources by configuring
the BasicAuth method for authentication and by using the LTPA JAX-RS
security handler to take advantage of single sign-on for user authentication.
- (optional) Secure JAX-RS clients using SSL.
- You can secure the communications between your JAX-RS
application and clients that invoke the application by using Secure
Sockets Layer (SSL) transport layer security.
- Assemble JAX-RS web applications.
- After you develop the Java class
files for your JAX-RS web application and edit the web.xml file to
enable the JAX-RS servlet, you are ready to assemble the application.
Assemble the web application into a web application archive (WAR)
package. You can assemble the WAR package into an enterprise archive
(EAR) package, if required.
- Deploy JAX-RS web applications.
- After you have assembled your JAX-RS web application,
you need to deploy your Web archive (WAR) package or the enterprise
archive (EAR) package onto the application server.
- Administer the secure JAX-RS application.
- After you have implemented security mechanisms such
as basic HTTP authentication or role-based authorization constraints
on your REST resources, you can use the administrative console to
administer your JAX-RS applications by mapping defined roles to users,
groups, or special subjects.
Results
You have developed and deployed a secure JAX-RS web application
on the application server. You can also use the administrative console
to administer your secure JAX-RS application.