[prev in list] [next in list] [prev in thread] [next in thread]
List: wink-user
Subject: Re:
From: Stefan Witte <stefan_witte () yahoo ! com>
Date: 2009-09-30 14:33:39
Message-ID: 231571.58061.qm () web112608 ! mail ! gq1 ! yahoo ! com
[Download RAW message or body]
Thanks Bryant.
I've got it working now. I think that the problem was in the caching of the browser \
with trying out different user id's and not enough restarting of the websphere \
server.
I now test it with the wink client using the "Authorization: Basic \
c3dpdHRlOnN0ZWZhbg==" header. I wrote a WebSphereAuthorisationHandler (ClientHandler) \
for this. For optimalisation i probably have to create one that uses the returned \
LtpaToken cookie for additional requests.
Thanks.
________________________________
From: Bryant Luk <bryant.luk@gmail.com>
To: wink-user@incubator.apache.org
Sent: Tuesday, September 29, 2009 5:01:01 AM
Subject: Re:
Hi Stefan,
Thanks for the feedback. We'll try adding a chapter specifically
about security to the guide soon.
For your immediate issue, I made a simple application application to
test out the security using the pattern you suggested. I had a
resource like:
@Path("/resource")
public class Resource {
@Context
javax.ws.rs.core.SecurityContext securityInfo;
@GET
@Produces(MediaType.TEXT_PLAIN)
public String getSomething() {
return "Hello GET: " + security.getUserPrincipal();
}
@POST
@Produces(MediaType.TEXT_PLAIN)
public String postSomething() {
return "Hello POST: " + security.getUserPrincipal();
}
@GET
@Path("/{subresource}")
@Produces(MediaType.TEXT_PLAIN)
public String getGreetingSub() {
return "Hello GET subresource: " + security.getUserPrincipal();
}
}
My web.xml:
<servlet>
<servlet-name>HelloWorldApp</servlet-name>
<servlet-class>org.apache.wink.server.internal.servlet.RestServlet</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>org.apache.wink.example.helloworld.HelloWorldApplication</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>HelloWorldApp</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-role>
<role-name>adminRole</role-name>
</security-role>
<security-role>
<role-name>readerRole</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>
SecuredAdmin
</web-resource-name>
<url-pattern>/resource</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>adminRole</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>
SecuredSubresource
</web-resource-name>
<url-pattern>/resource/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>readerRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
When I loaded up the root resource at /resource in my browser, I could
only use a user mapped to my adminRole. When I visited
/resource/abcd, I could only visit the resource using a user mapped to
my readerRole. Did you try a pattern like the above?
One note on the above pattern is that it restricts GETs to /resource
to only the adminRole users. Generally /resource collection like URLs
(if it is indeed a collection) are readable by the same users as those
that can read /resource/<anything underneath>, so you may want to drop
the <http-method>GET</http-method> and just leave the
<http-method>POST</http-method> in the first security constraint.
Also, I'm not sure if you're aware but you can try using the @Context
javax.ws.rs.core.SecurityContext injected object (which can be put in
a method's parameter list or as a root resource's field variable for
instance) if you need a programmatic way of handling security.
I used the free WebSphere Application Server 7.0 developer's version
at ( http://www.ibm.com/developerworks/websphere/downloads/ ). You
probably already know this but I would also try restarting the
application via the admin console or wsadmin after you've made changes
to the application specific security configuration. If you make
changes to the global security config (such as changing user
registries or enabling application security), you should try
restarting the application server.
Let us know if that helped.
On Mon, Sep 28, 2009 at 8:45 AM, Stefan Witte <stefan_witte@yahoo.com> wrote:
> Can someone provide some samples, guidelines or patterns how the (JEE)
> secure different resource in a apache wink implementation.
>
> if the wink servlet is configured in the web.xml like:
>
> <servlet>
> <servlet-name>WinkServlet</servlet-name>
>
> <servlet-class>org.apache.wink.server.internal.servlet.RestServlet</servlet-class>
> <init-param>
> <param-name>applicationConfigLocation</param-name>
> <param-value>/WEB-INF/application</param-value>
> </init-param>
> </servlet>
>
> <servlet-mapping>
> <servlet-name>WinkServlet</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
>
> is /* then the only url-pattern where a role can be assigned to?
> or do i have to have multiple servlet mappings (tried that but didn't work)
> or do i have to register multiple instance of the wink servlet with
> different url patterns?
>
>
> I tried using different security constraints on different url-patterns but
> none works as i want (see example)
>
> (running on WebSphere 7.0.0.3, servlet 2.5)
>
> I for example need to configure authorisation for the following nested
> resource(s):
>
> roles: admin, reader
>
> /resource (role: admin)
> /resource/<anything> (role: reader) (e.g. /resource/reservation
>
>
> A chapter in the User or Developer guide about JEE security on REST
> resources (using apache wink) would be really usefull.
>
> Thanks.
>
>
--
- Bryant Luk
[Attachment #3 (text/html)]
<html><head><style type="text/css"><!-- DIV {margin:0px;} \
--></style></head><body><div \
style="font-family:verdana,helvetica,sans-serif;font-size:10pt"><div>Thanks \
Bryant.<br><br>I've got it working now. I think that the problem was in the caching \
of the browser with trying out different user id's and not enough restarting of the \
websphere server.<br><br>I now test it with the wink client using the "Authorization: \
Basic c3dpdHRlOnN0ZWZhbg==" header. I wrote a WebSphereAuthorisationHandler \
(ClientHandler) for this.<br>For optimalisation i probably have to create one that \
uses the returned LtpaToken cookie for additional \
requests.<br><br>Thanks.<br></div><div style="font-family: \
verdana,helvetica,sans-serif; font-size: 10pt;"><br><div style="font-family: \
arial,helvetica,sans-serif; font-size: 13px;"><font face="Tahoma" size="2"><hr \
size="1"><b><span style="font-weight: bold;">From:</span></b> Bryant Luk \
<bryant.luk@gmail.com><br><b><span style="font-weight: bold;">To:</span></b> \
wink-user@incubator.apache.org<br><b><span style="font-weight: \
bold;">Sent:</span></b> Tuesday, September 29, 2009 5:01:01 AM<br><b><span \
style="font-weight: bold;">Subject:</span></b> Re:<br></font><br> Hi \
Stefan,<br><br>Thanks for the feedback. We'll try adding a chapter \
specifically<br>about security to the guide soon.<br><br>For your immediate issue, I \
made a simple application application to<br>test out the security using the pattern \
you suggested. I had a<br>resource like:<br><br>@Path("/resource")<br>public \
class Resource {<br> @Context<br> <a target="_blank" \
href="http://javax.ws.rs.core.Se">javax.ws</a>.rs.core.SecurityContext \
securityInfo;<br><br> @GET<br> \
@Produces(MediaType.TEXT_PLAIN)<br> public String getSomething() \
{<br> return "Hello GET: " + \
security.getUserPrincipal();<br> }<br><br> @POST<br> \
@Produces(MediaType.TEXT_PLAIN)<br> public String postSomething() \
{<br> return "Hello POST: " + \
security.getUserPrincipal();<br> }<br><br> @GET<br> \
@Path("/{subresource}")<br> \
@Produces(MediaType.TEXT_PLAIN)<br> public String getGreetingSub() \
{<br> return "Hello GET subresource: " + \
security.getUserPrincipal();<br> }<br>}<br><br>My web.xml:<br><br> \
<servlet><br> \
<servlet-name>HelloWorldApp</servlet-name><br> \
<servlet-class>org.apache.wink.server.internal.servlet.RestServlet</servlet-class><br> \
<init-param><br> \
<param-name><a target="_blank" \
href="http://javax.ws">javax.ws</a>.rs.Application</param-name><br> \
\
<param-value>org.apache.wink.example.helloworld.HelloWorldApplication</param-value><br> \
</init-param><br> \
<load-on-startup>1</load-on-startup><br> \
</servlet><br> <servlet-mapping><br> \
<servlet-name>HelloWorldApp</servlet-name><br> \
<url-pattern>/*</url-pattern><br> \
</servlet-mapping><br> <security-role><br> \
<role-name>adminRole</role-name><br> \
</security-role><br> <security-role><br> \
<role-name>readerRole</role-name><br> \
</security-role><br> <security-constraint><br> \
<web-resource-collection><br> \
<web-resource-name><br> \
SecuredAdmin<br> \
</web-resource-name><br> \
<url-pattern>/resource</url-pattern><br> \
<http-method>GET</http-method><br> \
<http-method>POST</http-method><br> \
</web-resource-collection><br> \
<auth-constraint><br> \
<role-name>adminRole</role-name><br> \
</auth-constraint><br> </security-constraint><br> \
<security-constraint><br> \
<web-resource-collection><br> \
<web-resource-name><br> \
SecuredSubresource<br> \
</web-resource-name><br> \
<url-pattern>/resource/*</url-pattern><br> \
<http-method>GET</http-method><br> \
</web-resource-collection><br> \
<auth-constraint><br> \
<role-name>readerRole</role-name><br> \
</auth-constraint><br> </security-constraint><br> \
<login-config><br> \
<auth-method>BASIC</auth-method><br> \
</login-config><br><br>When I loaded up the root resource at /resource in \
my browser, I could<br>only use a user mapped to my adminRole. When I \
visited<br>/resource/abcd, I could only visit the resource using a user mapped \
to<br>my readerRole. Did you try a pattern like the above?<br><br>One note on \
the above pattern is that it restricts GETs to /resource<br>to only the adminRole \
users. Generally /resource collection like URLs<br>(if it is indeed a \
collection) are readable by the same users as those<br>that can read \
/resource/<anything underneath>, so you may want to drop<br>the \
<http-method>GET</http-method> and just leave \
the<br><http-method>POST</http-method> in the first security \
constraint.<br><br>Also, I'm not sure if you're aware but you can try using the \
@Context<br>javax.ws.rs.core.SecurityContext injected object (which can be put \
in<br>a method's parameter list or as a root resource's field variable \
for<br>instance) if you need a programmatic way of handling security.<br><br>I used \
the free WebSphere Application Server 7.0 developer's version<br><span>at ( <a \
target="_blank" href="http://www.ibm.com/developerworks/websphere/downloads/">http://www.ibm.com/developerworks/websphere/downloads/</a> \
). You</span><br>probably already know this but I would also try restarting \
the<br>application via the admin console or wsadmin after you've made changes<br>to \
the application specific security configuration. If you make<br>changes to the \
global security config (such as changing user<br>registries or enabling application \
security), you should try<br>restarting the application server.<br><br>Let us know if \
that helped.<br><br>On Mon, Sep 28, 2009 at 8:45 AM, Stefan Witte <<a \
ymailto="mailto:stefan_witte@yahoo.com" \
href="mailto:stefan_witte@yahoo.com">stefan_witte@yahoo.com</a>> wrote:<br>> \
Can someone provide some samples, guidelines or patterns how the (JEE)<br>> secure \
different resource in a apache wink implementation.<br>><br>> if the wink \
servlet is configured in the web.xml like:<br>><br>> \
<servlet><br>> \
<servlet-name>WinkServlet</servlet-name><br>><br>> \
<servlet-class>org.apache.wink.server.internal.servlet.RestServlet</servlet-class><br>> \
<init-param><br>> \
<param-name>applicationConfigLocation</param-name><br>> \
\
<param-value>/WEB-INF/application</param-value><br>> \
</init-param><br>> \
</servlet><br>><br>> <servlet-mapping><br>> \
<servlet-name>WinkServlet</servlet-name><br>> \
<url-pattern>/*</url-pattern><br>> \
</servlet-mapping><br>><br>> is /* then the only url-pattern where \
a role can be assigned to?<br>> or do i have to have multiple servlet mappings \
(tried that but didn't work)<br>> or do i have to register multiple instance of \
the wink servlet with<br>> different url patterns?<br>><br>><br>> I tried \
using different security constraints on different url-patterns but<br>> none \
works as i want (see example)<br>><br>> (running on WebSphere 7.0.0.3, servlet \
2.5)<br>><br>> I for example need to configure authorisation for the following \
nested<br>> resource(s):<br>><br>> roles: admin, reader<br>><br>> \
/resource (role: admin)<br>> /resource/<anything> (role: reader) (e.g. \
/resource/reservation<br>><br>><br>> A chapter in the User or Developer \
guide about JEE security on REST<br>> resources (using apache wink) would be \
really usefull.<br>><br>> Thanks.<br>><br>><br><br><br><br>--<br><br>- \
Bryant Luk<br></div></div></div><br>
</body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic