Difference between revisions of "EclipseLink/Release/2.4.0/JPA-RS/Security"

From Eclipsepedia

Jump to: navigation, search
(JPA-RS Security)
 
(5 intermediate revisions by one user not shown)
Line 1: Line 1:
== JPA-RS Security ==
+
<div style="float:right;width:300px"><div style="background:#ffffff;width:275px" align="center">__TOC__</div></div>
  
JPA-RS does not implement any security within its service methods. Users wishing to use JPA-RS within production application should secure access to the JPA-RS services using standard URL pattern security policies. This page illustrates how this can be done.
+
[[EclipseLink/Release/2.4.0/JPA-RS | JPA-RS]] does not implement any security within its service methods. Users wishing to use JPA-RS within production application should secure access to the JPA-RS services using standard URL pattern security policies. This page illustrates how this can be done.
  
 
== Securing JPA-RS in GlassFish ==
 
== Securing JPA-RS in GlassFish ==
  
The following is an example of how JPA-RS can be secured within an application using standard Java EE configuration combined with the server specific security.
+
When the JPA-RS library is added to a web applications '''WEB-INF/lib''' folder its web-fragment.xml is used to augment the application's web.xml mapping the JAX-RS (Jersey) servlet available. The web application developer can use standard web.xml security configuration to control what URL9s) and HTTP methods can be invoked.  
  
The web application that adds JPA-RS through its inclusion as a web-fragment by placing the JPA-RS libraryy in WEB-INF/lib can also augment their web.xml to control access to the JPA-RS service. An example of this woul look like:
+
=== web.xml Example ===
 +
 
 +
In this example all access to JPA-RS for GET, PUT, POST, and DELETE are limited to users with the '''JPA-RS''' security role.
  
 
<source lang="xml">
 
<source lang="xml">
Line 16: Line 18:
 
<web-resource-name>JPARSPermissions</web-resource-name>
 
<web-resource-name>JPARSPermissions</web-resource-name>
 
<url-pattern>/persistence/*</url-pattern>
 
<url-pattern>/persistence/*</url-pattern>
<http-method>GET</http-method>
 
<http-method>PUT</http-method>
 
<http-method>POST</http-method>
 
<http-method>DELETE</http-method>
 
 
</web-resource-collection>
 
</web-resource-collection>
 
<auth-constraint>
 
<auth-constraint>
Line 34: Line 32:
 
</source>
 
</source>
  
This configuration will limit all access to JPA-RS to container configured users who have the JPA-RS security role.
 
  
 
=== GlassFish: sun-web.xml ===
 
=== GlassFish: sun-web.xml ===

Latest revision as of 13:02, 21 June 2012

JPA-RS does not implement any security within its service methods. Users wishing to use JPA-RS within production application should secure access to the JPA-RS services using standard URL pattern security policies. This page illustrates how this can be done.

[edit] Securing JPA-RS in GlassFish

When the JPA-RS library is added to a web applications WEB-INF/lib folder its web-fragment.xml is used to augment the application's web.xml mapping the JAX-RS (Jersey) servlet available. The web application developer can use standard web.xml security configuration to control what URL9s) and HTTP methods can be invoked.

[edit] web.xml Example

In this example all access to JPA-RS for GET, PUT, POST, and DELETE are limited to users with the JPA-RS security role.

<!-- Securing JPA-RS  -->
<security-constraint>
	<display-name>JPA-RS Security</display-name>
	<web-resource-collection>
		<web-resource-name>JPARSPermissions</web-resource-name>
		<url-pattern>/persistence/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>JPA-RS</role-name>
	</auth-constraint>
</security-constraint>
<login-config>
	<auth-method>BASIC</auth-method>
	<realm-name>file</realm-name>
</login-config>
<security-role>
	<role-name>JPA-RS</role-name>
</security-role>


[edit] GlassFish: sun-web.xml

Within the GlassFish server the additional mapping from Java EE security role to the GlassFish secuity group is required.

<security-role-mapping>
	<role-name>JPA-RS</role-name>
	<group-name>JPA-RS</group-name>
</security-role-mapping>