JPA-RS does not implement any security within its service methods. Users wishing to use JPA-RS within production application should secure access to the JPA-RS services using standard URL pattern security policies. This page illustrates how this can be done.
Securing JPA-RS in GlassFish
When the JPA-RS library is added to a web applications WEB-INF/lib folder its web-fragment.xml is used to augment the application's web.xml mapping the JAX-RS (Jersey) servlet available. The web application developer can use standard web.xml security configuration to control what URL9s) and HTTP methods can be invoked.
In this example all access to JPA-RS for GET, PUT, POST, and DELETE are limited to users with the JPA-RS security role.
<!-- Securing JPA-RS --> <security-constraint> <display-name>JPA-RS Security</display-name> <web-resource-collection> <web-resource-name>JPARSPermissions</web-resource-name> <url-pattern>/persistence/*</url-pattern> <http-method>GET</http-method> <http-method>PUT</http-method> <http-method>POST</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>JPA-RS</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>file</realm-name> </login-config> <security-role> <role-name>JPA-RS</role-name> </security-role>
Within the GlassFish server the additional mapping from Java EE security role to the GlassFish secuity group is required.
<security-role-mapping> <role-name>JPA-RS</role-name> <group-name>JPA-RS</group-name> </security-role-mapping>