Tuesday, August 5, 2014

JavaEE REST JAX-RS with Spring Security

Java EE REST JAX-RS with Spring Security


If you are using a JavaEE application server like Jboss, WildFly, GlassFish you get JAX-RS , JPA etc runtimes for 'free', if using Tomcat, Jetty etc, you might as well use the full Spring stack.
I tested on Jboss EAP 6.11, 7, WildFly and Glassfish.






/WEB-INF/applicationContext.xml Spring context file.
 <?xml version='1.0' encoding='UTF-8' ?>  
 <!-- was: <?xml version="1.0" encoding="UTF-8"?> -->  
 <beans xmlns="http://www.springframework.org/schema/beans"  
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
     xmlns:security="http://www.springframework.org/schema/security"  
     xmlns:p="http://www.springframework.org/schema/p"  
     xmlns:aop="http://www.springframework.org/schema/aop"  
     xmlns:tx="http://www.springframework.org/schema/tx"  
     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd  
     http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd  
     http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd  
     http://www.springframework.org/schema/security  
     http://www.springframework.org/schema/security/spring-security.xsd">  
   <!--bean id="propertyConfigurer"  
      class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"  
      p:location="/WEB-INF/jdbc.properties" />  
   <bean id="dataSource"  
   class="org.springframework.jdbc.datasource.DriverManagerDataSource"  
   p:driverClassName="${jdbc.driverClassName}"  
   p:url="${jdbc.url}"  
   p:username="${jdbc.username}"  
   p:password="${jdbc.password}" /-->  
   <!-- ADD PERSISTENCE SUPPORT HERE (jpa, hibernate, etc) -->  
   <!--basic login security-->  
   <security:http>  
     <security:intercept-url pattern="/**" access="ROLE_USER" />  
     <security:form-login />  
     <security:logout />  
   </security:http>  
   <!--example from spring.io security reference-->  
   <security:authentication-manager>  
     <security:authentication-provider>  
       <security:user-service>  
         <security:user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />  
         <security:user name="bob" password="bobspassword" authorities="ROLE_USER" />  
       </security:user-service>  
     </security:authentication-provider>  
   </security:authentication-manager>  
   <!--secures all methods-->  
   <security:global-method-security secured-annotations="enabled" />  
 </beans>  



The web.xml


 <?xml version="1.0" encoding="UTF-8"?>  
 <web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">  
   <context-param>  
     <param-name>contextConfigLocation</param-name>  
     <param-value>/WEB-INF/applicationContext.xml</param-value>  
   </context-param>  
   <listener>  
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>  
   </listener>  
   <filter>  
    <filter-name>springSecurityFilterChain</filter-name>  
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
   </filter>  
   <filter-mapping>  
    <filter-name>springSecurityFilterChain</filter-name>  
    <url-pattern>/*</url-pattern>  
   </filter-mapping>  
   <session-config>  
     <session-timeout>  
       30  
     </session-timeout>  
   </session-config>  
   <welcome-file-list>  
     <welcome-file>redirect.jsp</welcome-file>  
   </welcome-file-list>  
 </web-app>  


The jax-rs path secured with annotation.


1:   @Secured("ROLE_ADMIN")  
2:    @GET  
3:    @Override  
4:    @Produces({ "application/json"})  
5:    public List<Customer> findAll() {  
6:      Authentication authentication = SecurityContextHolder.getContext().getAuthentication();  
7:      Object principal = authentication.getPrincipal();  
8:      if(principal instanceof User)  
9:        System.err.println("principal: " + ((User)principal).getUsername());  
10:      else  
11:        System.err.println("instance"+ principal.getClass().getTypeName());  
12:      System.err.println("roles :" + authentication.getAuthorities());  
13:      return super.findAll();  
14:    }  


Dependencies for spring security -


     <dependency>  
       <groupId>org.springframework</groupId>  
       <artifactId>spring-context</artifactId>  
       <version>4.0.6.RELEASE</version>  
     </dependency>  
     <dependency>  
       <groupId>org.springframework</groupId>  
       <artifactId>spring-context-support</artifactId>  
       <version>4.0.6.RELEASE</version>  
     </dependency>   
     <dependency>  
       <groupId>org.springframework.security</groupId>  
       <artifactId>spring-security-config</artifactId>  
       <version>3.2.4.RELEASE</version>  
     </dependency>  
     <dependency>  
       <groupId>org.springframework.security</groupId>  
       <artifactId>spring-security-core</artifactId>  
       <version>3.2.4.RELEASE</version>  
     </dependency>        
     <dependency>  
       <groupId>org.springframework.security</groupId>  
       <artifactId>spring-security-web</artifactId>  
       <version>3.2.4.RELEASE</version>  
     </dependency>