We started off this chapter by discussing how an application authenticates a user who is trying to access a secured resource. When a client accesses a secured resource, the server identifies and validates the requester, and on successful authentication, the requester is allowed to get inside the application. During this process, the underlying security framework generates a javax.ws.rs.core.SecurityContext object, which holds security-related information pertaining to the requester. The JAX-RS framework allows you to access the SecurityContext object in the code in order to retrieve security-related information pertaining to the current request.
Some of the frequently used methods exposed by SecurityContext are given as follows:
- getAuthenticationScheme(): This method returns the authentication scheme used for protecting resources, such as HTTP basic, HTTP digest, NTLM, and so on
- getUserPrincipal(): This method returns the logged-in username
- isSecure(): This returns true if the request is made through a secure channel (HTTPS)
- isUserInRole(String role): This returns true if the logged-in user is in the role supplied as a parameter for this method
http://docs.oracle.com/javaee/7/api/javax/ws/rs/core/SecurityContext.html.
You can access SecurityContext in the JAX-RS resource methods and call the appropriate APIs on it to perform the authorization of the requester. The following is an example demonstrating the usage of SecurityContext::isUserInRole(String). In this example, the system information is returned to the caller but only if the requested user (client) is in an admin role:
//Other imports are not shown for brevity import javax.ws.rs.core.Context; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import javax.ws.rs.core.SecurityContext; @Path("system") public class SystemResource { @GET @Path("info") public Response getSystemInfo(@Context SecurityContext securityContext) { String adminGroup = "admin"; if (securityContext.isUserInRole(adminGroup)) { // getSystemInfo reads system info - not shown here SystemInfo sysInfo=getSystemInfo(); return Response.ok(sysInfo, MediaType.APPLICATION_JSON).build(); } else { return Response.status(Response.Status.FORBIDDEN).build(); } } }