Search code examples
javarestjakarta-eeweb.xmljaas

Securing REST Resources with a generic URL Pattern

I'm working on a JEE app using REST WS, i would like to secure some specific REST ressources for a specific Role in web.xml

By exemple : I have four Roles : "Role1", "Role2", "Role3" and "RoleEdit"

I want that only the role "RoleEdit" can access these specific resources :

rest/SomePATH/0/Edit
rest/SomePATH/1/Edit
rest/SomePATH/2/Edit
...
rest/SomePATH/10/Edit

and 

rest/SomeOtherPATH/0/Edit
rest/SomeOtherPATH/1/Edit
rest/SomeOtherPATH/2/Edit
...
rest/SomeOtherPATH/10/Edit

the other roles can access :

rest/SomePATH/0/query
...
rest/SomeOtherPATH/0/getInfo
...
rest/SomeOtherPATH/0/query
...
rest/SomeOtherPATH/0/getInfo
...

I added the following URL Patterns to web.xml for the RoleEdit :

<security-constraint>
    <display-name>EditRessources</display-name>
    <web-resource-collection>
        <web-resource-name>Edit</web-resource-name>
        <description/>
        <url-pattern>/rest/*/*/Edit</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>RoleEdit</role-name>
    </auth-constraint>
</security-constraint>

it seems that the Security container doesn't recognize the "/rest/*/*/Edit" , so all the other roles can acces this last.

is there any way to prevent writing all the ressources in web.xml (just by using a generic pattern ).

thanks in advance

Solution

  • I solve the probleme, thnx to @SteveC

    First url-pattern spec are :

    1. A string beginning with a '/' character and ending with a '/*' suffix is used for path mapping.
    2. A string beginning with a '*.' prefix is used as an extension mapping.
    3. A string containing only the '/' character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.
    4. All other strings are used for exact matches only.

    source => Url pattern spec , so the rest/*/*/path is not recognized

    I suggest to those using jersy RESTFUL API :

    1- to add the folowing conf in the web.xml inside the jersey servlet container :

        <init-param>
        <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name> 
        <param-value>
            com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory
        </param-value>
    </init-param>

    2- to use the javax.annotation.security.RolesAllowed in there WS (securing method or services) : by exemple :

    @Path("SomePATH")
public class SampleWS{
   ...

   @POST
   @Path("{layer}/Edit")
   @Produces("application/json")
   @RolesAllowed({"RoleEdit"})
   public String edit(@PathParam("layer")String layer){
       //some code
   }
}

    that's all.