No @RolesAllowed available for Webservices
The JEE specification is growing into a nice and easy to use specification. But some features, like Webservices and RolesAllowed, are not good enough yet. To be more precise. @RolesAllowed is not supported for plain Webservices (not doubling as EJB’s) until version 3.0 in the Servlet Specification.
After much reading on this subject, I have come to the conclusion that a pragmatic solution is required. My solution is just to inspect the principals based upon the logged in user and check myself if the user is allowed to continue. But you can also define the webservice as EJB.
My setup
Glassfish 3
JEE
Basic authentication configured in JEE project and glassfish server by JDBC realm means
My @RolesAllowed / isUserInRole solution
Off course an annotation can be constructed for the example below, but that I leave to other to implement.
Check the principal yourself
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | public static boolean accessAllowed(String role) { boolean retValue = false; Subject s; try { s = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container"); Set<Principal> principals = s.getPrincipals(); for (Principal p : principals) { if (p.getName().equals(role)) { // Access allowed retValue = true; } } } catch (PolicyContextException e) { // Something is wrong. We do nothing by return access NOT allowed } return retValue; } |
Define the webservice as EJB
Another solution would be to define the webservice as an EJB also. I have not chosen this approach, but it is a matter of taste.
I hope the JEE specification will add/implement @RolesAllowed much needed feature for basic authenticated webservices, as in EJB’s, as fast as they can.
Kind regards,
Marc
Tags: authentication, Basic, JEE, RolesAllowed, Webservice