JAX-RS is an annotation-driven Java API that can be used for exposing Java beans as HTTP based services. For example, RESTful web applications are developed using JAX-RS annotations to define the resources exposed by the service. Web applications developed using JAX-RS annotations consist of the following qualities:
...
JAX-RS annotations are defined in JSR 311. They are also a way of mapping Java with HTTP requests. For example, @GET, @PUT, @POST, @DELETE and @HEAD are JAX-RS annotations that directly map to HTTP requests by the same name. See the official Java documentation, for details about JAX-RS annotations and RESTful web services.
Shown below is an example of a simple web application that uses the following JAX-RS annotations: @Path, @GET, @Consumes and @Produces.
...
In this example, the @GET annotation is used to specify how the web application should respond to HTTP GET requests coming from a client. The @Consumes annotation determines the media type that the web service can accept from the client and the @Produces annotation determines the media type that the web service can return to the client in response to the request.
Configuring JAX-RS applications for AS
The following sections explain some of the configuration options that are available for JAX-RS applications:
...
For authentication, you should first enable the basic-auth security constraint in the
web.xmlfile of your web application. In AS, web applications are authenticated against the Carbon user stores. The User ManagementWorking with Users, Roles and Permissions section explains how user stores are set up and configured. By default, WSO2 Carbon products come with a default JDBC-based user store, and do not usetomcat-users.xml(which comes by default with Apache Tomcat). This allows the web application to be authenticated against user stores such as LDAP, ActiveDirectory etc. So, when you set BASIC auth as a security-constraint viaweb.xml, the users will be authenticated against the users and roles set in a Carbon user store. See the following example:Code Block <security-constraint> <web-resource-collection> <web-resource-name>CXF Jax-RS security</web-resource-name> <url-pattern>/services/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> <role-name>newrole</role-name> </auth-constraint> </security-constraint>You must add a cxf interceptor in the
cxf-servlet.xmlfile. The roles you set using the @RolesAllowed annotation is authorized by CXF using the request interceptor,org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor. CXF receives the underlying container’s SecurityContext for this task. Since we have set the Carbon user store as the default user realm, CXF will use that. See the following example:Code Block <!-- The SecureAnnotationsInterceptor honors the @RolesAllowed, @PermitAll and @DenyAll annotations --> <bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor"> <property name="securedObject" ref="serviceBean"/> </bean> <jaxrs:server id="customerService" address="/customers"> <!-- set the interceptor for the jaxrs:server for in-bound messages to authorize the user --> <jaxrs:inInterceptors> <ref bean="authorizationInterceptor"/> </jaxrs:inInterceptors> <jaxrs:serviceBeans> <ref bean="serviceBean"/> </jaxrs:serviceBeans>Then, you can go ahead and add the relevant annotation to the needed resource methods in your JAX-RS resource class. See the following examples:
@RolesAllowed annotation: The required roles for authentication and authorization should be specified for the application. In the example given below, only the users with the “admin” role will be able to access the resource method, "getCustomer".
Code Block @GET @RolesAllowed("admin") @Produces("application/xml") @Path("/customers/{id}/") public Customer getCustomer(@PathParam("id") String id) { System.out.println("----invoking getCustomer, Customer id is: " + id);long idNumber = Long.parseLong(id);Customer c = customers.get(idNumber); return c;}@DenyAll annotation: Block all users in the user store from accessing the service.
Code Block @DenyAll @Path("/orders/{orderId}/") public Order getOrder(@PathParam("orderId") String orderId) { System.out.println("----invoking getOrder, Order id is: " + orderId); long idNumber = Long.parseLong(orderId); Order c = orders.get(idNumber); return c; }@PermitAll annotation: Allows all users in the user store to access the service.
Code Block @PermitAll @Path("/orders/{orderId}/") public Order getOrder(@PathParam("orderId") String orderId) { System.out.println("----invoking getOrder, Order id is: " + orderId); long idNumber = Long.parseLong(orderId); Order c = orders.get(idNumber); return c; }
The annotations such as @RolesAllowed comes from the jsr250-api Common Annotations library. This is not shipped with WSO2 AS by default. So, you need to either include this library in your web application, or directly copy it to the AS. Since this is for a CXF JAX-RS application, you may copy this library to
<AS_HOME>/lib/runtimes/cxf/folder. The Maven dependency information for jsr250-api library is as follows:Code Block <dependency> <groupId>javax.annotation</groupId> <artifactId>jsr250-api</artifactId> <version>1.0</version> </dependency>
...
JAX-WS and JAX-RS applications can be bundled in a CXF application. Generally, the folder structure of a CXF application is as follows. However, this can change depending on your application. Please see the Webapp ClassLoading page for adding webapp-classloading.xml. It's a custom file implemented by WSO2 to give flexibility in classloading. You must have this file to deploy JAX-WS and JAX-RS applications because the CXF runtime is not visible to the webapps by default.
...