Form authentication for Restful services

We can authenticate the restful service using tomcat container specific security mechanism. This can be achieved by configuring the web.xml file. The following example working based on the form based authentication

web.xml

<web-app id="WebApp_ID" version="2.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/j2ee" xsi:schemalocation="http://java.sun.com/xml/ns/j2ee  
  http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> 
  <display-name>Restful Web Application</display-name> 
  <servlet> 
   <servlet-name>TestServlet</servlet-name> 
   <servlet-class> 
       com.sun.jersey.spi.container.servlet.ServletContainer 
    </servlet-class> 
   <init-param> 
        <param-name>com.sun.jersey.config.property.packages</param-name>
       <param-value>com.smashplus</param-value>
  </init-param> 
         <load-on-startup>1</load-on-startup> 
  </servlet> 
  <servlet-mapping> 
   <servlet-name>TestServlet</servlet-name> 
   <url-pattern>/resources/*</url-pattern> 
  </servlet-mapping> 
  <security-constraint> 
   <web-resource-collection> 
     <web-resource-name>Private</web-resource-name> 
     <description>Matches all pages.</description> 
     <url-pattern>/resources/*</url-pattern> 
   </web-resource-collection> 
   <auth-constraint> 
      <role-name>authenticated-user</role-name> 
   </auth-constraint> 
 </security-constraint> 
 <security-constraint> 
   <web-resource-collection> 
     <web-resource-name>Public</web-resource-name> 
     <description>Matches a few special pages.</description> 
   <url-pattern>/index.jsp</url-pattern> 
     <url-pattern>/public/*</url-pattern> 
   </web-resource-collection> 
   <!-- No auth-constraint means everybody has access! --> 
 </security-constraint> 
 <security-role> 
   <description> 
     A role for all authenticated ("logged in") users. This 
     role must be present in the servlet container's user 
     management database. 
   </description> 
 <role-name>authenticated-user</role-name> 
 </security-role> 
 <login-config> 
   <auth-method>FORM</auth-method> 
   <form-login-config>
<form-login-page>/jsp/LoginForm.html</form-login-page>
<form-error-page>/jsp/LoginError.html</form-error-page>
</form-login-config>
</login-config> 
 </web-app>
 

You must have the following user configuration in the tomcat-users.xml file.
      <role rolename="authenticated-user" />
      <user username="shams" password="mypass" roles="authenticated-user" />

How it works*

The security module configuation works when the url matches */resources/* for eg: http://localhost:8080/restdemo/resources/test/smash this will redirect to the LoginForm.html. This is mappd under the tag <web-resource-name> in the web.xml file aboveLogin page should defined as follows,The action should be j_security_check


<form method="POST" action="j_security_check">
  Username: <input type="text"  name="j_username"><br />
  Password: <input type="password" name="j_password"><br />
  <br />
  <input type="submit" value="Login">
  <input type="reset"  value="Reset">
</form>

Screen shot of login form
In the login form enter the user configured in the tomcat-users.xml file and the authentication works  based on the realm configured in the server.xml file. If the user authentication succeeds redirect to restful service else it will redirect to the error page based on the configuration in the web.xml file.

The above example uses UserDatabaseRealm which works based on the xml configuration. 

Related post:


Comments