When creating a REST api with Java EE 6 and JAX-RS there comes the time when you start thinking about security. In our case we were trying to set up HTTP Basic Auth for the REST api to identify users and keep them from deleting other peoples stuff. It took me a while to understand the different aspects of configuring HTTP Basic Auth when using GlassFish:
- Use
SecurityContextin your Java code to access the authentication information. - To enable HTTP Basic Auth add a
<security-constraint>section to yourweb.xml - Map user roles to GlassFish groups by creating a
sun-web.xml - Configure a FileRealm / JDBCRealm in GlassFish to store user passwords
I will detail the steps with a simple deleteRating() example and xml snippets.
(more…)