Implement secure JAX-RS applications

The IBM runtime environment for Java API for RESTful Web Services (JAX-RS) is driven by a servlet derived from the Apache Wink project. Within the WebSphere Application Server environment, the lifecycle of servlets is managed in the web container. Therefore, the security services offered by the web container are applicable to REST resources deployed in WAS.

We can define and add security constraints on the REST resources using the same tooling used to assemble REST applications. These constraints are captured in the J2EE web deployment descriptor associated with the application. The following list describes security definitions that we can include in the deployment descriptor:

• User authentication when invoking REST resources embodied in the application, including
  • HTTP basic authentication

  • Form login authentication

• Authorization control over REST resources as defined by the URL patterns for the resources

• Use of SSL for transport when invoking REST resources
• Programmatic use of the SecurityContext object to determine user identity and roles

All the security mechanisms supported by the web container are applicable to REST resources, including the use of the Kerberos-based SPNEGO authentication mechanism.

Tasks

1. Configure the development environment.

   1. Before starting developing JAX-RS applications, we must set up the development environment by adding the JAX-RS libraries on the classpath.

2. Define the resources in JAX-RS web applications.
   1. Resources are the basic building block of a RESTful service. Resources can contain static or dynamically updated data. Examples of resources from an online book store application include a book, an order from a store, and a collection of users. By identifying the resources in the application, we can make the service more useful and easier to develop.

3. Configure the JAX-RS application.

   We can configure JAX-RS applications in multiple . To take advantage of the Java EE 6 functionality, we can use the annotation scanning capabilities. By using annotation scanning, we can omit a JAX-RS javax.ws.rs.core.Application subclass or have a minimally defined javax.ws.rs.core.Application subclass. Alternatively, we can specify the IBM JAX-RS servlet or filter to use the functionality available in the IBM JAX-RS servlet and filter.

   Using one of the JAX-RS Version 1.1 configuration methods, we can omit a javax.ws.rs.core.Application subclass in the application or have a javax.ws.rs.core.Application subclass that returns an empty set of classes to inform the JAX-RS runtime environment to find and use all the JAX-RS classes in the application. We might want to use this method when we do not want to have to manually add every relevant JAX-RS class to a javax.ws.rs.core.Application subclass as you develop the application.

   By specifying the specific IBM JAX-RS servlet and filter, we can take advantage of and ensure specific IBM JAX-RS behavior. For example, using the IBM JAX-RS filter can be helpful in developing a web application with a mix of JAX-RS resources and JSP files with the same URL patterns.

   Even though there is a JAX-RS V1.1 configuration method that supports the use of an optional web.xml file, to specify security constraints or roles, or we want to take advantage of other features enabled using a web.xml file, specify the information in a web.xml file.

   Choose one of the following three methods to configure the JAX-RS application:

   • Configure JAX-RS applications using JAX-RS 1.1 methods

     Use this method to use the annotation scanning capabilities or to use the JAX-RS 1.1 configuration methods. Use the annotation scanning capabilities to promote application portability, to minimize the amount of configuration code, or to dynamically modify the application without changes to the application code.

   • Configure the web.xml file for JAX-RS servlets

     Use this method to specify features enabled using servlet initialization parameters to change the behavior and ensure that we get the IBM JAX-RS servlet. When using servlets, we can define a servlet path in the web.xml file that is appended to the base URL.

   • Configure the web.xml file for JAX-RS filters

     Use this method to use the filter when we have JSPs, other servlets and filters, and JAX-RS resources with a mix of URL patterns. We can configure the web.xml file to define filters that indicate the possible URLs on which the filter can be invoked.

4. Secure JAX-RS applications within the web container.

   1. Use the security services available to the web container, we can secure REST resources by configuring security mechanisms that define user authentication, transport security, authorization control, and user to role mappings.

5. Secure JAX-RS resources using annotations.

   1. We can secure JAX-RS resources using annotations that specify security settings. Use @PermitAll, @DenyAll and @RolesAllowed annotations to override the configuration of security constraints defined in the web.xml file.

6. (optional) Secure downstream JAX-RS resources.

   1. We can secure downstream JAX-RS resources by configuring the BasicAuth method for authentication and using the LTPA JAX-RS security handler to take advantage of single sign-on for user authentication.

7. (optional) Secure JAX-RS clients using SSL.

   1. We can secure the communications between the JAX-RS application and clients that invoke the application using SSL transport layer security.

8. Assemble JAX-RS web applications.

   1. After developing the Java class files for our JAX-RS web application and edit the web.xml file to enable the JAX-RS servlet, we are ready to assemble the application. Assemble the web application into a web application archive (WAR) package. We can assemble the WAR package into an enterprise archive (EAR) package, if required.

9. Deploy JAX-RS web applications.

   1. After assembling the JAX-RS web application, we need to deploy your Web archive (WAR) package or the EAR package onto the application server.

10. Administer the secure JAX-RS application.

    1. After we have implemented security mechanisms such as basic HTTP authentication or role-based authorization constraints on your REST resources, we can use the administrative console to administer the JAX-RS applications by mapping defined roles to users, groups, or special subjects.

We have developed and deployed a secure JAX-RS web application on the application server. We can also use the administrative console to administer your secure JAX-RS application.

Related:

Overview of IBM JAX-RS

Secure JAX-RS applications within the web container

Secure downstream JAX-RS resources

Secure JAX-RS clients using SSL

Administer secure JAX-RS applications

Implement JAX-RS web applications

Web services specifications and APIs