Products Downloads


French version


 

The implementation of authorization management is based on the declaration of a reference to a JwtSecurityConfiguration-type object in the <jaxrs:server> element:

<jaxrs:server ...>
   <jaxrs:properties>
      <entry key="jwtTokenConfiguration">
         <ref bean="jwtTokenConfiguration"/>
      </entry>
      <entry key="jwtSecurityConfiguration">           
            <ref bean="jwtSecurityConfiguration"/>
      </entry>
   </jaxrs:properties>
</jaxrs:server>



The JwtSecurityConfiguration object exposes a list of roles (jwtSecurityRoles) and a set of security constraints (jwtSecurityConstraints).

<bean id="jwtSecurityConfiguration" class="com.hardis.adelia.webservice.JwtSecurityConfiguration">
      <property name="jwtSecurityRoles">
         <list>
            <value>admin</value>
            <value>customer</value>
            <value>supplier</value>
         </list>
      </property>
      <property name="jwtSecurityConstraints">
         <list>
            <ref bean="jwtSecurityConstraint_1" />
            <ref bean="jwtSecurityConstraint_2" />
         </list>
      </property>
</bean>



A security constraint (JwtSecurityConstraint) targets a set of resources (via url-patterns and http_methods properties) and assigns them authorizations via a list of roles (role_names):


url_patterns

One or several url-pattern.

Only the joker character * is accepted in the url-pattern and only at the end of the URL.


Example: /a/b/c/*


http_methods

A list of HTTP instructions (GET/PUT/POST/DELETE, etc.).

The property is optional. Its absence indicates that the constraint concerns all the HTTP instructions.


role_names

A list of authorized roles.

The roles must belong to the list of roles declared via the JwtSecurityConfiguration object.



The property is optional, its absence indicates that the resource is never accessible.


<bean id="jwtSecurityConstraint_1" class="com.hardis.adelia.webservice.JwtSecurityConstraint">
      <property name="url_patterns">
         <list>
            <value>/ws/jaxrc1/*</value>
            <value>/ws/jaxrc2/*</value>
            <value>/ws/jaxrc3/*</value>
         </list>
      </property>
     
      <!-- no method == all methods -->
      <property name="http_methods">
         <list>
            <value>PUT</value>
            <value>POST</value>
            <value>DELETE</value>
         </list>
      </property>


     <!-- no role_names == access is forbidden -->
      <property name="role_names">
         <list>
            <value>admin</value>
         </list>
      </property>
</bean>

<bean id="jwtSecurityConstraint_2" class="com.hardis.adelia.webservice.JwtSecurityConstraint">
      <property name="url_patterns">
         <list>
            <value>/ws/jaxrc1/voit2/*</value>
         </list>
      </property>

      <property name="role_names">
         <list>
            <value>customer</value>
            <value>supplier</value>
         </list>
      </property>
   </bean>



The example above declares two security constraints called:


jwtSecurityConstraint_1: constraint requiring the user to have the admin role for all  PUT, POST and DELETE requests with a URL beginning with one of the following three segments:

 /<ContextPath>/ws/jaxrc1/

 /<ContextPath>/ws/jaxrc2/

 /<ContextPath>/ws/jaxrc3/

jwtSecurityConstraint_2: constraint requiring the user to have either the customer role or the supplier role for all requests with a URL beginning with:

/<ContextPath>/ws/jaxrc1/voit2/



Note: if a resource satisfies several security constraints, the rules for describing the correct constraint are as below:

[1] Perfect match

[2] Precedence of a match with the prefix of a match with a shorter prefix

[3] Precedence of a match with a universal match prefix

[4] Universal match (url_pattern : /)



↑ Top of page

  • Aucune étiquette