5 Securing RESTful Web Services and Clients

Oracle WebLogic Server fully supports the means to secure Jakarta EE web services that conform to the Representational State Transfer (REST) architectural style using the JAX-RS reference implementation (RI).

This chapter includes the following sections:

• About RESTful Web Service Security
  You can secure your RESTful web services so that they can support authentication, authorization, or encryption.
• Securing RESTful Web Services Using web.xml
  You secure RESTful web services using the web.xml deployment descriptor as you would for other Jakarta EE Web applications.
• Securing RESTful Web Services Using SecurityContext
  The jakarta.ws.rs.core.SecurityContext interface provides access to security-related information for a request.
• Securing RESTful Web Services Using Java Security Annotations
  The jakarta.annotation.security package provides annotations that you can use to secure your RESTful web services.

About RESTful Web Service Security

You can secure your RESTful web services so that they can support authentication, authorization, or encryption. You can use one of the following methods:

• Updating the web.xml deployment descriptor to access information about the authenticated users. See Securing RESTful Web Services Using web.xml.

• Using the jakarta.ws.rs.core.SecurityContext interface to access security-related information for a request. See Securing RESTful Web Services Using SecurityContext.

• Applying annotations to your JAX-RS classes. See Securing RESTful Web Services Using Java Security Annotations.

For information about developing RESTful web service clients using Oracle JDeveloper, see How to Attach Policies to RESTful Web Services and Clients in Developing Applications with Oracle JDeveloper.

Securing RESTful Web Services Using web.xml

You secure RESTful web services using the web.xml deployment descriptor as you would for other Jakarta EE Web applications. For complete details, see:

• Developing Secure Web Applications in Developing Applications with the WebLogic Security Service.

• Securing Web Applications in The Jakarta EE Tutorial .

For example, to secure your RESTful web service using basic authentication, perform the following steps:

1. Define a <security-constraint> for each set of RESTful resources (URIs) that you plan to protect.
2. Use the <login-config> element to define the type of authentication you want to use and the security realm to which the security constraints will be applied.
3. Define one or more security roles using the <security-role> tag and map them to the security constraints defined in step 1. See security-role in Developing Applications with the WebLogic Security Service.
4. To enable encryption, add the <user-data-constraint> element and set the <transport-guarantee> subelement to CONFIDENTIAL. See user-data-constraint in Developing Applications with the WebLogic Security Service.

Example 5-1 Securing RESTful Web Services Using Basic Authentication

The following example demonstrates how to secure a Jersey Jakarta RESTful Web Service using basic authentication.

<web-app>
    <servlet>
        <servlet-name>RestServlet</servlet-name>

        <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>

    </servlet>
    <servlet-mapping>
        <servlet-name>RestServlet</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
    <security-constraint>
         <web-resource-collection>
             <web-resource-name>Orders</web-resource-name>
             <url-pattern>/orders</url-pattern>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name> 
         </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>default</realm-name>
    </login-config>
    <security-role>
        <role-name>admin</role-name>
    </security-role>
</web-app>

Securing RESTful Web Services Using SecurityContext

The jakarta.ws.rs.core.SecurityContext interface provides access to security-related information for a request. The SecurityContext provides functionality similar to jakarta.servlet.http.HttpServletRequest, enabling you to access the following security-related information:

• java.security.Principal object containing the name of the user making the request.

• Authentication type used to secure the resource, such as BASIC_AUTH, FORM_AUTH, and CLIENT_CERT_AUTH.

• Whether the authenticated user is included in a particular role.

• Whether the request was made using a secure channel, such as HTTPS.

You access the SecurityContext by injecting an instance into a class field, setter method, or method parameter using the jakarta.ws.rs.core.Context annotation.

For more information, see the following topics in the Jakarta EE 9.1 Specification APIs:

• SecurityContext interface

• @Context annotation

Example 5-2 shows how to inject an instance of SecurityContext into the sc method parameter using the @Context annotation, and check whether the authorized user is included in the admin role before returning the response.

Example 5-2 Securing RESTful Web Service Using SecurityContext

package samples.helloworld;
 
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.SecurityContext;
import jakarta.ws.rs.core.Context;

...

@Path("/stateless")
@Stateless(name = "JaxRSStatelessEJB")
public class StlsEJBApp {
...
        @GET
        @Produces("text/plain;charset=UTF-8")
        @Path("/hello")
        public String sayHello(@Context SecurityContext sc) {
                if (sc.isUserInRole("admin"))  return "Hello World!";
                throw new SecurityException("User is unauthorized.");
        }

Securing RESTful Web Services Using Java Security Annotations

The jakarta.annotation.security package provides annotations that you can use to secure your RESTful web services.These annotations are defined in Table 5-1.

Table 5-1 Annotations for Securing RESTful Web Services

Annotation	Description
@DenyAll	Specifies that no security roles are allowed to invoke the specified methods.
@PermitAll	Specifies that all security roles are allowed to invoke the specified methods.
@RolesAllowed	Specifies the list of security roles that are allowed to invoke the methods in the application.

Before you can use the annotations defined in Table 5-1, you must register the roles-allowed feature, as described in Securing JAX-RS resources with standard jakarta.annotation.security annotations in the Jersey 3.0.18 User Guide .

Example 5-3 shows how to define the security roles that are allowed, by default, to access the methods defined in the helloWorld class. The sayHello method is annotated with the @RolesAllows annotation to override the default and only allow users that belong to the ADMIN security role.

Example 5-3 Securing RESTful Web Service Using Java Security Annotations

package samples.helloworld;
 
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.annotation.Security.RolesAllowed;

 
@Path("/helloworld")
@RolesAllowed({"ADMIN", "ORG1"})
public class helloWorld {

   @GET
   @Path("sayHello")  
   @Produces("text/plain")
   @RolesAllows("ADMIN")
   public String sayHello() {
      return "Hello World!";
   }
}

See also:

• Specifying Authorized Users by Declaring Security Roles in The Jakarta EE Tutorial

• jakarta.annotation.security Javadoc