Jump to: navigation, search

Difference between revisions of "EclipseLink/Release/2.4.0/JPA-RS/Security"

(New page: == JPA-RS Security == == Securing JPA-RS in GlassFish == The following is an example of how JPA-RS can be secured within an application using standard Java EE configuration combined wit...)
 
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
== JPA-RS Security ==
+
<div style="float:right;width:300px"><div style="background:#ffffff;width:275px" align="center">__TOC__</div></div>
  
 +
[[EclipseLink/Release/2.4.0/JPA-RS | JPA-RS]] does not implement any security within its service methods. Users wishing to use JPA-RS within production application should secure access to the JPA-RS services using standard URL pattern security policies. This page illustrates how this can be done.
  
 
== Securing JPA-RS in GlassFish ==
 
== Securing JPA-RS in GlassFish ==
  
The following is an example of how JPA-RS can be secured within an application using standard Java EE configuration combined with the server specific security.
+
When the JPA-RS library is added to a web applications '''WEB-INF/lib''' folder its web-fragment.xml is used to augment the application's web.xml mapping the JAX-RS (Jersey) servlet available. The web application developer can use standard web.xml security configuration to control what URL9s) and HTTP methods can be invoked.  
  
The web application that adds JPA-RS through its inclusion as a web-fragment by placing the JPA-RS libraryy in WEB-INF/lib can also augment their web.xml to control access to the JPA-RS service. An example of this woul look like:
+
=== web.xml Example ===
 +
 
 +
In this example all access to JPA-RS for GET, PUT, POST, and DELETE are limited to users with the '''JPA-RS''' security role.
  
 
<source lang="xml">
 
<source lang="xml">
Line 15: Line 18:
 
<web-resource-name>JPARSPermissions</web-resource-name>
 
<web-resource-name>JPARSPermissions</web-resource-name>
 
<url-pattern>/persistence/*</url-pattern>
 
<url-pattern>/persistence/*</url-pattern>
<http-method>GET</http-method>
 
<http-method>PUT</http-method>
 
<http-method>POST</http-method>
 
<http-method>DELETE</http-method>
 
 
</web-resource-collection>
 
</web-resource-collection>
 
<auth-constraint>
 
<auth-constraint>
Line 33: Line 32:
 
</source>
 
</source>
  
This configuration will limit all access to JPA-RS to container configured users who have the JPA-RS security role.
 
  
 
=== GlassFish: sun-web.xml ===
 
=== GlassFish: sun-web.xml ===

Latest revision as of 12:02, 21 June 2012

JPA-RS does not implement any security within its service methods. Users wishing to use JPA-RS within production application should secure access to the JPA-RS services using standard URL pattern security policies. This page illustrates how this can be done.

Securing JPA-RS in GlassFish

When the JPA-RS library is added to a web applications WEB-INF/lib folder its web-fragment.xml is used to augment the application's web.xml mapping the JAX-RS (Jersey) servlet available. The web application developer can use standard web.xml security configuration to control what URL9s) and HTTP methods can be invoked.

web.xml Example

In this example all access to JPA-RS for GET, PUT, POST, and DELETE are limited to users with the JPA-RS security role.

<!-- Securing JPA-RS  -->
<security-constraint>
	<display-name>JPA-RS Security</display-name>
	<web-resource-collection>
		<web-resource-name>JPARSPermissions</web-resource-name>
		<url-pattern>/persistence/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>JPA-RS</role-name>
	</auth-constraint>
</security-constraint>
<login-config>
	<auth-method>BASIC</auth-method>
	<realm-name>file</realm-name>
</login-config>
<security-role>
	<role-name>JPA-RS</role-name>
</security-role>


GlassFish: sun-web.xml

Within the GlassFish server the additional mapping from Java EE security role to the GlassFish secuity group is required.

<security-role-mapping>
	<role-name>JPA-RS</role-name>
	<group-name>JPA-RS</group-name>
</security-role-mapping>