Tomcat Basic Authentication Permissions Issue

2
votes

I currently have a web service running some basic authentication through Tomcat. I get the login box to pop up fine, and I can log in with accounts I have defined in the tomcat-users.xml file. However, when it comes to defining permissions based on roles, I'm having some issues.

Currently, I have three roles: manager, admin, and user. I have a few methods which should be only accessible by, say, an admin role. I can log in as my manager/admin/user super account and see everything just fine- but I can do the same as a normal user as well.

The methods are defined like so:

@Path("/Test")
@RolesAllowed("admin")
public class Test
{
    @GET
    @RolesAllowed("user")
    public methodThatMyUsersCanAcess{}

    @GET
    @Path("/Secure")
    @RolesAllowed("admin")
    public methodThatOnlyAdminsCanAcess{}
}

I'm really not sure how a 'user' role would be able to access the second method, but somehow it still happens.

2
javaauthenticationtomcatjersey
So just to be clear, it looks like the /Test resource maps to methodTheMyUsersCanAccess and should only be accessible by the user role and /Test/Secure maps to methodThatOnlyAdminsCanAccess and is only accessible by the admin role. The @RolesAllowed annotation is from JSR 250 which states that its use in a method should override its use at the class level. What happens when you remove the @RolesAllowed annotation from the class level?stand
It's still doing the same thing. Logged in as a 'user', I'm still able to access the 'admin' method.ZKSteffel

2 Answers

1
votes

After some more investigation, I discovered that using @RolesAllowed was doing nothing in my code due to the way my web.xml file was configured. I decided to move in the direction of setting authentication by URI path. This is done through modifying the web.xml to allow a subset of users to access each path under separate <security-constraint> tags. I found my best resource for this here: http://www.coderanch.com/t/176095/java-Web-Component-SCWCD/certification/auth-constraint-confusion in the second post.

0
votes

The key point is to configure RolesAllowedResourceFilterFactory in web.xml, as below:

<servlet> 
    <servlet-name>jersey-servlet</servlet-name> 
    <servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class> 
        <init-param> 
            <param-name>com.sun.jersey.config.property.packages</param-name> 
            <param-value>com.mycompany.mobile.rest</param-value> 
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.config.feature.Trace</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.spi.container.ContainerRequestFilters</param-name>
            <param-value>com.mycompany.mobile.rest.filter.RestSecurityFilter</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
            <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
        </init-param>
    <load-on-startup>1</load-on-startup> 
</servlet>