How to authenticate users in Jersey

Question

I am writing a RESTful application in Java using Jersey, and i need to authenticate users. I know i can specify the roles in the resource using the annotations @RolesAllowed

Answer 1

There are two things we need to address

1. Authentication - Checking if the user is really the one it claims to be
2. Authorization - If the authenticated user has the privilege to access the given method

To do both authentication and authorization, we need a data store that store that stores the following mapping:

1. Mapping between user and its password
2. Mapping between roles and users
3. Mapping between roles and permissions

Here the first mapping is required for authentication and the other two mappings are used for authorization.

Also, note that we need to do authentication and authorization for every API call. So we will be doing a lot of read operations.

Hence, usually a directory server or Ldap server such as Apache DS is used to store these mappings because a directory server is a read optimised data store.

In a RESTful application usually a filter is used to extract the username and password from the request header, and do the authentication with the Ldap server. IF the authenication is successful, the next step is to extract the permissions of the user from the Ldap server by consulting the user-role and role-permission mappings. If the user is authorized, only in that case the control flows to the actual API business logic.

Refer to this answer for details.