The javax.annotation.security annotations available with Java EE simplify the coding effort for adding authentication and authorization checks for an application. The Jersey framework allows you to use the following javax.annotation.security annotations, on the JAX-RS resource class or methods, to control the access, based on the user role:
- javax.annotation.security.DenyAl: With this, no roles can invoke the annotated resource class or method
- javax.annotation.security.PermitAll: With this, all the security roles are allowed to invoke the annotated resource method(s)
- javax.annotation.security.RolesAllowed: This specifies the list of roles permitted to access the method(s) in an application
To use the preceding annotations in your JAX-RS resource class or methods, you need to register the following dynamic feature provider offered by the Jersey framework:
org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature.
The following code snippet uses a subclass of javax.ws.rs.core.Application to register the RolesAllowedDynamicFeature provider:
//Other imports are removed for brevity import org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature; @javax.ws.rs.ApplicationPath("webresources") public class ApplicationConfig extends Application { @Override public Set<Class<?>> getClasses() { Set<Class<?>> resources = new java.util.HashSet<>(); //Rest of the code goes here resources.add(RolesAllowedDynamicFeature.class); return resources; } }
Let's see how to use the security annotation with a JAX-RS service to prevent unauthorized access. The following code snippet uses the @RolesAllowed security annotation to restrict access to the resource method. This example uses @RolesAllowed("admin") on the resource method to let only the users that have an admin role to access this API at runtime:
import javax.annotation.security.RolesAllowed; @GET @Path("security") @RolesAllowed("admin") public Response getSystemInfo() { // getSystemInfo reads system info //method definition is not shown here to save space SystemInfo sysInfo=getSystemInfo(); return Response.ok(sysInfo, MediaType.APPLICATION_JSON).build(); }