This chapter describes how to secure WebLogic Web services that conform to the Representational State Transfer (REST) architectural style using Java API for RESTful Web Services (JAX-RS).
This chapter includes the following sections:
You can secure your RESTful Web services using one of the following methods to support authentication, authorization, or encryption:
Updating the web.xml deployment descriptor to define security configuration. See Securing RESTful Web Services Using web.xml.
Using the javax.ws.rs.core.SecurityContext interface to implement security programmatically. See Securing RESTful Web Services Using SecurityContext.
Applying annotations to your JAX-RS classes. See Securing RESTful Web Services Using Annotations..
Using Jersey OAuth libraries to sign and verify requests. For more information about using and installing the OAuth libraries, see the Jersey and OAuth wiki at: https://wikis.oracle.com/display/Jersey/OAuth
You secure RESTful Web services using the web.xml deployment descriptor as you would for other Java EE Web applications. For complete details, see "Developing Secure Web Applications" in Programming Security for Oracle WebLogic Server.
For example, to secure your RESTful Web service using basic authentication, perform the following steps:
Define a <security-constraint> for each set of RESTful resources (URIs) that you plan to protect.
Use the <login-config> element to define the type of authentication you want to use and the security realm to which the security constraints will be applied.
Define one or more security roles using the <security-role> tag and map them to the security constraints defined in step 1. For more information, see "security-role" in Programming Security for Oracle WebLogic Server.
To enable encryption, add the <user-data-constraint> element and set the <transport-guarantee> subelement to CONFIDENTIAL. For more information, see "user-data-constraint" in Programming Security for Oracle WebLogic Server.
For more details,
Example 5-1 Securing RESTful Web Services Using Basic Authentication
<web-app>
<servlet>
<servlet-name>RestServlet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RestServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Orders</web-resource-name>
<url-pattern>/orders</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
</web-app>
The javax.ws.rs.core.SecurityContext interface provides access to security-related information for a request. The SecurityContext provides functionality similar to javax.servlet.http.HttpServletRequest, enabling you to access the following security-related information:
java.security.Principal object containing the name of the user making the request.
Authentication type used to secure the resource, such as BASIC_AUTH, FORM_AUTH, and CLIENT_CERT_AUTH.
Whether the authenticated user is included in a particular role.
Whether the request was made using a secure channel, such as HTTPS.
You access the SecurityContext by injecting an instance into a class field, setter method, or method parameter using the javax.ws.rs.core.Context annotation.
For more information, see the Javadoc at:
SecurityContext interface: http://docs.oracle.com/javaee/6/api/index.html?javax/ws/rs/core/SecurityContext.html
@Context annotation: http://docs.oracle.com/javaee/6/api/index.html?javax/ws/rs/core/Context.html
Figure 5-0 shows how to inject an instance of SecurityContext into the sc method parameter using the @Context annotation, and check whether the authorized user is included in the admin role before returning the response.
Example 5-2 Securing RESTful Web Service Using SecurityContext
package samples.helloworld; import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.core.Context; ... @Path("/stateless") @Stateless(name = "JaxRSStatelessEJB") public class StlsEJBApp { ... @GET @Produces("text/plain;charset=UTF-8") @Path("/hello") public String sayHello(@Context SecurityContext sc) { if (sc.isUserInRole("admin")) return "Hello World!"; throw new SecurityException("User is unauthorized."); }
The javax.annotation.security package provides annotations, defined in Table 5-1, that you can use to secure your RESTful Web services. For more information, see the Javadoc at: http://docs.oracle.com/javaee/6/api/index.html?javax/annotation/security/package-summary.html.
Table 5-1 Annotations for Securing RESTful Web Services
| Annotation | Description |
|---|---|
|
|
Declares roles. |
|
|
Specifies that no security roles are allowed to invoke the specified methods. |
|
|
Specifies that all security roles are allowed to invoke the specified methods. |
|
|
Specifies the list of security roles that are allowed to invoke the methods in the application. |
|
|
Defines the identity of the application during execution in a J2EE container. |
Figure 5-0 shows how to define the security roles that are allowed, by default, to access the methods defined in the helloWorld class. The sayHello method is annotated with the @RolesAllows annotation to override the default and only allow users that belong to the ADMIN security role.
Example 5-3 Securing RESTful Web Service Using SecurityContext
package samples.helloworld; import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.annotation.Security.RolesAllowed; @Path("/helloworld") @RolesAllowed({"ADMIN", "ORG1"}) public class helloWorld { @GET @Path("sayHello") @Produces("text/plain") @RolesAllows("ADMIN") public String sayHello() { return "Hello World!"; } }