Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "EclipseLink/Release/2.4.0/JPA-RS/Security"
< EclipseLink | Release | 2.4.0/JPA-RS
(New page: == JPA-RS Security == == Securing JPA-RS in GlassFish == The following is an example of how JPA-RS can be secured within an application using standard Java EE configuration combined wit...) |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | == | + | <div style="float:right;width:300px"><div style="background:#ffffff;width:275px" align="center">__TOC__</div></div> |
| + | [[EclipseLink/Release/2.4.0/JPA-RS | JPA-RS]] does not implement any security within its service methods. Users wishing to use JPA-RS within production application should secure access to the JPA-RS services using standard URL pattern security policies. This page illustrates how this can be done. | ||
== Securing JPA-RS in GlassFish == | == Securing JPA-RS in GlassFish == | ||
| − | + | When the JPA-RS library is added to a web applications '''WEB-INF/lib''' folder its web-fragment.xml is used to augment the application's web.xml mapping the JAX-RS (Jersey) servlet available. The web application developer can use standard web.xml security configuration to control what URL9s) and HTTP methods can be invoked. | |
| − | + | === web.xml Example === | |
| + | |||
| + | In this example all access to JPA-RS for GET, PUT, POST, and DELETE are limited to users with the '''JPA-RS''' security role. | ||
<source lang="xml"> | <source lang="xml"> | ||
| Line 15: | Line 18: | ||
<web-resource-name>JPARSPermissions</web-resource-name> | <web-resource-name>JPARSPermissions</web-resource-name> | ||
<url-pattern>/persistence/*</url-pattern> | <url-pattern>/persistence/*</url-pattern> | ||
| − | |||
| − | |||
| − | |||
| − | |||
</web-resource-collection> | </web-resource-collection> | ||
<auth-constraint> | <auth-constraint> | ||
| Line 33: | Line 32: | ||
</source> | </source> | ||
| − | |||
=== GlassFish: sun-web.xml === | === GlassFish: sun-web.xml === | ||
Latest revision as of 13:02, 21 June 2012
JPA-RS does not implement any security within its service methods. Users wishing to use JPA-RS within production application should secure access to the JPA-RS services using standard URL pattern security policies. This page illustrates how this can be done.
Securing JPA-RS in GlassFish
When the JPA-RS library is added to a web applications WEB-INF/lib folder its web-fragment.xml is used to augment the application's web.xml mapping the JAX-RS (Jersey) servlet available. The web application developer can use standard web.xml security configuration to control what URL9s) and HTTP methods can be invoked.
web.xml Example
In this example all access to JPA-RS for GET, PUT, POST, and DELETE are limited to users with the JPA-RS security role.
<!-- Securing JPA-RS --> <security-constraint> <display-name>JPA-RS Security</display-name> <web-resource-collection> <web-resource-name>JPARSPermissions</web-resource-name> <url-pattern>/persistence/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>JPA-RS</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>file</realm-name> </login-config> <security-role> <role-name>JPA-RS</role-name> </security-role>
GlassFish: sun-web.xml
Within the GlassFish server the additional mapping from Java EE security role to the GlassFish secuity group is required.
<security-role-mapping> <role-name>JPA-RS</role-name> <group-name>JPA-RS</group-name> </security-role-mapping>