Over a million developers have joined DZone.

Custom SecurityContext in JAX-RS

DZone's Guide to

Custom SecurityContext in JAX-RS

An article about how to override the default security-related information associated with a JAX-RS request using a custom SecurityContext.

· Java Zone
Free Resource

Microservices! They are everywhere, or at least, the term is. When should you use a microservice architecture? What factors should be considered when making that decision? Do the benefits outweigh the costs? Why is everyone so excited about them, anyway?  Brought to you in partnership with IBM.

And the JAX-RS juggernaut continues ….

This article briefly talks about how to override the default security-related information associated with a JAX-RS request (i.e., how to mess with the SecurityContext).

Wait... SecurityContext?

Think of it as a JAX-RS abstraction over HTTPServletRequest for security-related information only. This can be used for:

  • figuring out how the caller was authenticated
  • extracting authenticated Principal info
  • role membership confirmation (programmatic authorization)
  • and whether or not the request was initiated securely (over HTTPS)

OK, but why would I need a custom implementation?

It helps when you have a custom authentication mechanism not implemented using the standard Java EE security realm:

  • your web container will not be aware of the authentication details
  • as a result, the SecurityContext instance will not contain the subject, role, or other details (mentioned above)
  • a typical example is token-based authentication, based on custom (app-specific) HTTP headers
public class JWTAuthFilter implements ContainerRequestFilter{
  public void filter(ContainerRequestContext requestContext) throws IOException {
        String authHeaderVal = requestContext.getHeaderString("Authorization");

            //consume JWT i.e. execute signature validation
            try {
                validate(authHeaderVal.split(" ")[1]);
            } catch (InvalidJwtException ex) {

Your RESTful application would definitely want to make use of the authenticated caller. The JAX-RS request pipeline needs to be aware of the associated ‘security context’ and make use of it within its business logic

How to…

SecurityContext is an interface after all...

  • just implement it
  • then inject it (using @Context) and use it in your resource methods
public class AuthFilterWithCustomSecurityContext implements ContainerRequestFilter {
    UriInfo uriInfo;

    public void filter(ContainerRequestContext requestContext) throws IOException {
        String authHeaderVal = requestContext.getHeaderString("Auth-Token");
        String subject = validateToken(authHeaderVal); //execute custom authentication
        if (subject!=null) {
            final SecurityContext securityContext = requestContext.getSecurityContext();
            requestContext.setSecurityContext(new SecurityContext() {
                        public Principal getUserPrincipal() {
                            return new Principal() {
                                public String getName() {
                                    return subject;

                        public boolean isUserInRole(String role) {
                            List<Role> roles = findUserRoles(subject);
                            return roles.contains(role);

                        public boolean isSecure() {
                            return uriInfo.getAbsolutePath().toString().startsWith("https");

                        public String getAuthenticationScheme() {
                            return "Token-Based-Auth-Scheme";



Discover how the Watson team is further developing SDKs in Java, Node.js, Python, iOS, and Android to access these services and make programming easy. Brought to you in partnership with IBM.

java ,javaee ,jax rs ,rest ,security

Published at DZone with permission of Abhishek Gupta, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}