Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
EclipseLink/Release/2.4.0/JPA-RS/Security
JPA-RS does not implement any security within its service methods. Users wishing to use JPA-RS within production application should secure access to the JPA-RS services using standard URL pattern security policies. This page illustrates how this can be done.
Securing JPA-RS in GlassFish
When the JPA-RS library is added to a web applications WEB-INF/lib folder its web-fragment.xml is used to augment the application's web.xml mapping the JAX-RS (Jersey) servlet available. The web application developer can use standard web.xml security configuration to control what URL9s) and HTTP methods can be invoked.
web.xml Example
In this example all access to JPA-RS for GET, PUT, POST, and DELETE are limited to users with the JPA-RS security role.
<!-- Securing JPA-RS --> <security-constraint> <display-name>JPA-RS Security</display-name> <web-resource-collection> <web-resource-name>JPARSPermissions</web-resource-name> <url-pattern>/persistence/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>JPA-RS</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>file</realm-name> </login-config> <security-role> <role-name>JPA-RS</role-name> </security-role>
GlassFish: sun-web.xml
Within the GlassFish server the additional mapping from Java EE security role to the GlassFish secuity group is required.
<security-role-mapping> <role-name>JPA-RS</role-name> <group-name>JPA-RS</group-name> </security-role-mapping>