JAX-RS Security
by Vibrant Publishers
Introduction
Web services play a very vital role in any web application. Since these services deal with data which are of varied criticality, the security considerations of these services are very high. The JAX-RS library implemented to create REST web services in Java uses strict measures to ensure the security of the APIs built on top of it. Let us examine those security features of JAX-RS in detail.
JAX-RS Security
The JAX-RS library provides a core set of security features at three levels that are as follows.
- Encryption
- Authentication
- Authorization
-
Encryption
We all know that the REST is built on top of the HTTP protocol. The security of REST services lies in the security of its transfer protocol also. So while implementing APIs developers also make sure that they use HTTPS protocol with SSL certificates to ensure end-to-end encryption. This will block any third party from reading the information by intercepting the network.
-
Authentication
This is another common strategy that people use to make sure the client has access to a particular API resource. This is done by validating the client identity on the server-side. There will be a credential matching process that will confirm the client. In JavaEE containers, there is a web.xml file that can be configured for such processes. Below shown activity diagram shows a sample API authentication process.
-
Authorization
When a client is authenticated, the next step in the security process is to check whether the client is authorized to access certain resources from the server. In some cases, certain resources are read-only for certain types of clients. Some may have read and update access. So these permissions have to be validated. These settings are also configured in the web.xml file of the application which is hosted in the server container.
JAX-RS Security Implementations
We have seen the main ways by which security can be forced into web services. Now let us see how JAX-RS is implementing these measures.
There are three ways by which JAX-RS security can be implemented. They are:
- Using a deployment descriptor file.
- Using the security context.
- Use of annotations.
Using a deployment descriptor file.
The deployment descriptor file is an XML file that is part of the container. It is called web.xml. You will configure the web.xml file for web services security in such a way that any client trying to access a resource via an API, it will be asked for authentication and authorization. This is done through the following steps:
- Define the tag for every URIs or RESTful API resources that we are planning to protect.
- Use an element that will define a type of authentication that we would like to use.
- Define one or multiple security roles by including the tag. Once done, map them with security constraints defined in Step.1.
Using the security context
The use of SecurityContext class helps us to get the below mentioned security information for a given resource.
- java.security.Principal object that has the name of the user who is making a request.
- Authentication type that is used to secure a resource, like FORM_AUTH, BASIC_AUTH, CLIENT_CERT_AUTH.
- Check whether the authenticated user has been included in any security roles.
- See whether the request is coming from a secure channel like HTTPS.
Use of annotations
The javax.annotations.security package in Java provides security annotations. They can be used for securing APIs methods. Following are the common annotations in use:
Annotation |
Usage |
@PermitAll |
Specifies that all security roles are allowed to invoke the given resource method. |
@RolesAllowed |
Lists out the security roles that are allowed to access a given resource method. |
@DenyAll |
It specifies none of the security roles are allowed to invoke the given resource method. |
@DeclareRoles |
This will provide the security role of the current user invoking a resource method. |
Summary
Security implementation in JAX-RS leverages the help of server container and transport protocols. They are implemented mainly using configuration parameters and through annotations. When we are building APIs for web applications, it is always a good practice to include these security features in our API code.
Share