/ Java Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Custom SecurityContext in JAX-RS

DZone's Guide to

Custom SecurityContext in JAX-RS

An article about how to override the default security-related information associated with a JAX-RS request using a custom SecurityContext.

by
·
May. 03, 16 · Java Zone ·
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

The CMS developers love. Open Source, API-first and Enterprise-grade. Try BloomReach CMS for free.

And the JAX-RS juggernaut continues ….

This article briefly talks about how to override the default security-related information associated with a JAX-RS request (i.e., how to mess with the SecurityContext).

Wait... SecurityContext?

Think of it as a JAX-RS abstraction over HTTPServletRequest for security-related information only. This can be used for:

  • figuring out how the caller was authenticated
  • extracting authenticated Principal info
  • role membership confirmation (programmatic authorization)
  • and whether or not the request was initiated securely (over HTTPS)

OK, but why would I need a custom implementation?

It helps when you have a custom authentication mechanism not implemented using the standard Java EE security realm:

  • your web container will not be aware of the authentication details
  • as a result, the SecurityContext instance will not contain the subject, role, or other details (mentioned above)
  • a typical example is token-based authentication, based on custom (app-specific) HTTP headers
@Priority(Priorities.AUTHENTICATION)
public class JWTAuthFilter implements ContainerRequestFilter{
  @Override
  public void filter(ContainerRequestContext requestContext) throws IOException {
        String authHeaderVal = requestContext.getHeaderString("Authorization");

            //consume JWT i.e. execute signature validation
            if(authHeaderVal.startsWith("Bearer")){
            try {
                validate(authHeaderVal.split(" ")[1]);
            } catch (InvalidJwtException ex) {
                requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
            }
            }else{
                requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
            }
  }


Your RESTful application would definitely want to make use of the authenticated caller. The JAX-RS request pipeline needs to be aware of the associated ‘security context’ and make use of it within its business logic

How to…

SecurityContext is an interface after all...

  • just implement it
  • then inject it (using @Context) and use it in your resource methods
@Priority(Priorities.AUTHENTICATION)
public class AuthFilterWithCustomSecurityContext implements ContainerRequestFilter {
    @Context
    UriInfo uriInfo;

    @Override
    public void filter(ContainerRequestContext requestContext) throws IOException {
        String authHeaderVal = requestContext.getHeaderString("Auth-Token");
        String subject = validateToken(authHeaderVal); //execute custom authentication
        if (subject!=null) {
            final SecurityContext securityContext = requestContext.getSecurityContext();
            requestContext.setSecurityContext(new SecurityContext() {
                        @Override
                        public Principal getUserPrincipal() {
                            return new Principal() {
                                @Override
                                public String getName() {
                                    return subject;
                                }
                            };
                        }

                        @Override
                        public boolean isUserInRole(String role) {
                            List<Role> roles = findUserRoles(subject);
                            return roles.contains(role);
                        }

                        @Override
                        public boolean isSecure() {
                            return uriInfo.getAbsolutePath().toString().startsWith("https");
                        }

                        @Override
                        public String getAuthenticationScheme() {
                            return "Token-Based-Auth-Scheme";
                        }
                    });
        }

    }
}


Cheers!

BloomReach CMS: the API-first CMS of the future. Open-source & enterprise-grade. - As a Java developer, you will feel at home using Maven builds and your favorite IDE (e.g. Eclipse or IntelliJ) and continuous integration server (e.g. Jenkins). Manage your Java objects using Spring Framework, write your templates in JSP or Freemarker. Try for free.

Like This Article? Read More From DZone

Efficient JAX-RS: Conditional Gets & Puts
Binding Strategies for JAX-RS Filters and Interceptors
Content Negotiation in JAX-RS 2.0

Free DZone Refcard

Java Containerization
DOWNLOAD
Topics:
java ,javaee ,jax rs ,rest ,security

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

Java Partner Resources

jQuery UI and Auto-Complete Address Entry
Learn more about Kotlin
Microservices for Java Developers: A Hands-On Introduction to Frameworks & Containers
Modern Java EE Design Patterns: Building Scalable Architecture for Sustainable Enterprise Development
Distribute microservices between the private and public clusters, yet maintain bi-directional connectivity
Use this tool to look at the contents of GitHub and classify code based on the programming language used
Data APIs for Developers
The API for Software: Develop the Delivery You Want
Free tool: Scan Java, NuGet, and NPM packages for open source vulnerabilities
How to use Single Page Applications with a Java CMS
Java Ecosystem 2018 Infographic by JetBrains
Deep insight into your code with IntelliJ IDEA.

Java Partner Resources

jQuery UI and Auto-Complete Address Entry
Learn more about Kotlin
Microservices for Java Developers: A Hands-On Introduction to Frameworks & Containers
Modern Java EE Design Patterns: Building Scalable Architecture for Sustainable Enterprise Development

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone