I’m developing two projects using Netbeans 7.2:
1: a jee6 web project (Provided): an RestEasy webservices, it take data from a PostgreSQL database using JPA (EclipseLink 2.3) and deploy on JBoss 7.1.1.Final
jboss-web.xml:
<jboss-web>
<!-- URL to access the web module -->
<context-root>/dbo</context-root>
</jboss-web>
web.xml:
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>Restful Web Application</display-name>
<display-name>Restful Web Application</display-name>
<!-- Auto scan REST service -->
<context-param>
<param-name>resteasy.scan</param-name>
<param-value>true</param-value>
</context-param>
<!-- this need same with resteasy servlet url-pattern -->
<context-param>
<param-name>resteasy.servlet.mapping.prefix</param-name>
<param-value>/rest</param-value>
</context-param>
<listener>
<listener-class>
org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap
</listener-class>
</listener>
<servlet>
<servlet-name>resteasy-servlet</servlet-name>
<servlet-class>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>resteasy-servlet</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
JSONService.java:
package com.ostudio.dbo.rest;
import com.ostudio.dbo.model.Member;
import java.util.List;
import javax.enterprise.context.RequestScoped;
import javax.inject.Inject;
import javax.persistence.EntityManager;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
@Path("/members")
@RequestScoped
public class JSONService {
@Inject
private EntityManager em;
@GET
@Produces(javax.ws.rs.core.MediaType.APPLICATION_JSON)
public List<Member> listAllMembers() {
@SuppressWarnings("unchecked")
final List<Member> results = em.createQuery("select m from Member m order by m.name").getResultList();
return results;
}
}
2: the second project is the client (Consumer): a jee6 web project: an RestEasy client, its secure is based on jaas conected ldap server and deploy on JBoss 7.1.1.Final
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>home-module</display-name>
<!-- Protected Areas -->
<security-constraint>
<display-name>Admin Area</display-name>
<web-resource-collection>
<web-resource-name>Only_admins</web-resource-name>
<url-pattern>/pages/protected/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>For admin role only</description>
<role-name>administrators</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Validation By Form -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/pages/public/login.xhtml</form-login-page>
<form-error-page>/pages/public/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
<!-- Allowed Roles -->
<security-role>
<description>Administrators</description>
<role-name>administrators</role-name>
</security-role>
</web-app>
jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- URL to access the web module -->
<context-root>/</context-root>
<!-- Realm that will be used -->
<security-domain>SecurityRealm</security-domain>
</jboss-web>
jboss-deployment-structure.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="org.primefaces" meta-inf="export">
<imports>
<include path="META-INF" />
</imports>
</module>
<module name="org.jboss.resteasy.resteasy-jaxrs" meta-inf="export">
<imports>
<include path="META-INF" />
</imports>
</module>
</dependencies>
</deployment>
</jboss-deployment-structure>
DBOResteasyClient.java:
package com.ostudio.homemodule.dbo;
import com.ostudio.homemodule.model.Member;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.enterprise.context.RequestScoped;
import javax.faces.bean.ManagedBean;
import javax.inject.Named;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import org.apache.http.client.ClientProtocolException;
import org.jboss.resteasy.client.ClientRequest;
import org.jboss.resteasy.client.ClientResponse;
import org.primefaces.json.JSONArray;
import org.primefaces.json.JSONException;
import org.primefaces.json.JSONObject;
/**
*
* @author josuna
*/
@ManagedBean(name="dboBean")
@RequestScoped
public class DBOResteasyClient {
private static final String BASE_URI = "http://localhost:8080/dbo/rest";
ClientRequest webResource;
ClientResponse response;
private List<Member> members;
private Member member;
private static final Logger log = Logger.getLogger(DBOResteasyClient.class.toString());
public DBOResteasyClient() {
final String Path = "/members";
webResource = new ClientRequest(BASE_URI+Path);
}
// @Named provides access the return value via the EL variable name "members" in the UI (e.g.,
// Facelets or JSP view)
@Produces
@Named
public List<Member> getMembers(){
return this.members;
}
@PostConstruct
public void listAllMembers() {
try{
ClientRequest resource = webResource;
response = resource.accept(javax.ws.rs.core.MediaType.APPLICATION_JSON).get(ClientResponse.class);
if (response.getStatus() != 200) {
throw new RuntimeException("Failed : HTTP error code : "
+ response.getStatus()); }
}catch(Exception e ){
e.printStackTrace();
}
String jsonData = (String) response.getEntity(String.class);
JSONArray jsonArray = null;
try {
jsonArray = new JSONArray(jsonData);
members = new ArrayList<Member>();
for(int i=0;i<jsonArray.length();i++)
{
JSONObject json_data = jsonArray.getJSONObject(i);
member = new Member();
member.setId(json_data.getLong("id"));
member.setName(json_data.getString("name"));
member.setEmail(json_data.getString("email"));
member.setPhoneNumber(json_data.getString("phoneNumber"));
members.add(member);
}
} catch (JSONException e) {
// TODO Auto-generated catch block
log.info("ERROR EN listAllMembers: DBOResteasyClient: home-module");
}
// log.info("listAllMembers: size["+ members.size()+"]");
log.info("Output from Server .... \n");
log.info(jsonData);
}
public void close(){
}
}
My Question is:
I need to protect the webservice.
I use a jboss 7.1 realm to secure the client, I need to protect the webservice resteasy but I don’t want use other realm because it ask for auth again, is there a form to protect the webservice and use the client auth to access the webservice without it ask for auth again?
I assume that you want to authenticate/authorize your user. If you want to secure the connection you should use TLS with HTTPS.
If your connection is already secured by TLS you can use HTTP Basic Authentication and use a
SecurityInterceptor:Your client should implement preemptive HTTP basic authentication.