Determine security information using SecurityContext objects

Use Java API for RESTful Web Services (JAX-RS), we can use the SecurityContext object to access security information from the request context.

Use an injected SecurityContext object with the JAX-RS runtime environment, we can determine the security information of a Java EE container for a particular request. The procedure provides an example of returning the name of the user that made a request, if a user was logged in.

By using an injected javax.ws.rs.core.SecurityContext object by the JAX-RS runtime environment, we can determine the security information of a Java EE container for a particular request. For example, we can determine if the request was made over a secure transport or if the current user is in a role designated by the Java EE application. We can also determine the principal information of the logged-in user and the authentication scheme used.

The security information is helpful to determine whether the request is valid programmatically and to log secure requests, such as a request from a user who accessed an administrator page. To learn about setting up security, see the information about securing JAX-RS applications.

• If a resource method signature can be modified, add the @javax.ws.rs.core.Context javax.ws.rs.core.SecurityContext parameter to the method. When the resource method is invoked, the JAX-RS runtime environment passes an object that implements the SecurityContext object; for example:

  @Path("/contextexample")
  public class RootResource 
  {
      @GET
      @Produces("text/plain")
      public Response getResource(@Context SecurityContext secContext) 
      {
          StringBuilder sb = new StringBuilder();
          sb.append("Hello ");
          if(secContext.isUserInRole("admin")) 
          {
              sb.append("admin ");
          }
  
          Principal p = secContext.getUserPrincipal();
          if(p != null) 
          {
              sb.append(p.getName());
          }
          return Response.ok(sb.toString()).build();
      }
  }

• If a resource method signature cannot be modified and the class is a root resource, add the @javax.ws.rs.core.Context javax.ws.rs.core.SecurityContext field. When the resource is instantiated for a request, an object that implements SecurityContext is injected; for example:

  @Path("/contextexample")
  public class RootResource 
  {
      @Context SecurityContext secContext;
      @GET
      @Produces("text/plain")
      public Response getResource() {
          StringBuilder sb = new StringBuilder();
          sb.append("Hello ");
           if(secContext.isUserInRole("admin")) 
           {
              sb.append("admin ");
          }
  
          Principal p = secContext.getUserPrincipal();
          if(p != null) 
          {
              sb.append(p.getName());
          }
          return Response.ok(sb.toString()).build();
      }
  }

Results

You have used the javax.ws.rs.core.SecurityContext object to help provide security information from the Java EE container.

Related tasks

Use JAX-RS context objects to obtain more information about requests

Obtaining HTTP headers using HttpHeaders objects

Obtaining information about URIs using UriInfo objects

Evaluating request preconditions using Request objects

Implement secure JAX-RS applications