These postmatching filters are applied only after a matching Java class resource method has been identified to process the incoming request. As these filters are executed after the resource matching process, it is no longer possible to modify the request in order to influence the resource matching process.
Here is an example of a postmatching server-side request filter. AuthorizationRequestFilter, shown in the following example, ensures that only users with the ADMIN role can access the REST APIs used for configuring the system. The configuration APIs are identified in this example by checking whether the request URI path has the /config/ part embedded in it:
//Other imports are omitted for brevity
import java.io.IOException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Provider;
@Provider
public class AuthorizationRequestFilter implements
ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext requestContext)
throws IOException {
//Get the URI for current request
UriInfo uriInfo = requestContext.getUriInfo();
String uri = uriInfo.getRequestUri().toString();
int index = uri.indexOf("/config/");
boolean isSettingsService = (index != -1);
if (isSettingsService) {
SecurityContext securityContext
= requestContext.getSecurityContext();
if (securityContext == null
|| !securityContext.isUserInRole("ADMIN")) {
requestContext.abortWith(Response
.status(Response.Status.UNAUTHORIZED)
.entity("Unauthorized access.")
.build());
}
}
}
}
The @javax.ws.rs.ext.Provider annotation on the implementation of a filter or an interceptor makes it discoverable by the JAX-RS runtime. You do not need to do any extra configurations for integrating the filters or interceptors.