Difference between revisions of "EclipseLink/Release/2.4.0/JPA-RS/Security"

From Eclipsepedia

Jump to: navigation, search
(JPA-RS Security)
Line 5: Line 5:
 
== Securing JPA-RS in GlassFish ==
 
== Securing JPA-RS in GlassFish ==
  
The following is an example of how JPA-RS can be secured within an application using standard Java EE configuration combined with the server specific security.
+
When the JPA-RS library is added wo a web applications '''WEB-INF/lib''' folder its web-fragment.xml is used to augment the application's web.xml mapping the JAX-RS (Jersey) servlet available. The web application developer can use standard web.xml security configuration to control what URL9s) and HTTP methods can be invoked.  
  
The web application that adds JPA-RS through its inclusion as a web-fragment by placing the JPA-RS libraryy in WEB-INF/lib can also augment their web.xml to control access to the JPA-RS service. An example of this woul look like:
+
=== web.xml Example ===
 +
 
 +
In this example all access to JPA-RS for GET, PUT, POST, and DELETE are limited to users with the '''JPA-RS''' security role.
  
 
<source lang="xml">
 
<source lang="xml">
Line 34: Line 36:
 
</source>
 
</source>
  
This configuration will limit all access to JPA-RS to container configured users who have the JPA-RS security role.
 
  
 
=== GlassFish: sun-web.xml ===
 
=== GlassFish: sun-web.xml ===

Revision as of 13:38, 14 May 2012

Contents

JPA-RS Security

JPA-RS does not implement any security within its service methods. Users wishing to use JPA-RS within production application should secure access to the JPA-RS services using standard URL pattern security policies. This page illustrates how this can be done.

Securing JPA-RS in GlassFish

When the JPA-RS library is added wo a web applications WEB-INF/lib folder its web-fragment.xml is used to augment the application's web.xml mapping the JAX-RS (Jersey) servlet available. The web application developer can use standard web.xml security configuration to control what URL9s) and HTTP methods can be invoked.

web.xml Example

In this example all access to JPA-RS for GET, PUT, POST, and DELETE are limited to users with the JPA-RS security role.

<!-- Securing JPA-RS  -->
<security-constraint>
	<display-name>JPA-RS Security</display-name>
	<web-resource-collection>
		<web-resource-name>JPARSPermissions</web-resource-name>
		<url-pattern>/persistence/*</url-pattern>
		<http-method>GET</http-method>
		<http-method>PUT</http-method>
		<http-method>POST</http-method>
		<http-method>DELETE</http-method>
	</web-resource-collection>
	<auth-constraint>
		<role-name>JPA-RS</role-name>
	</auth-constraint>
</security-constraint>
<login-config>
	<auth-method>BASIC</auth-method>
	<realm-name>file</realm-name>
</login-config>
<security-role>
	<role-name>JPA-RS</role-name>
</security-role>


GlassFish: sun-web.xml

Within the GlassFish server the additional mapping from Java EE security role to the GlassFish secuity group is required.

<security-role-mapping>
	<role-name>JPA-RS</role-name>
	<group-name>JPA-RS</group-name>
</security-role-mapping>