JBoss AS 5.1.0 GA resteasy application - force login on every request -

i'm using resteasy 3.0.11.final jboss 5.1.0 ga. have defined rest web service. whole service secured basic authentication custom security domain. when use postman send request (#1) basic authentication user a, jboss invokes login module user, , calls local ejb (looked initial context) method caller principal a. immidiately after send request (#2) basic authentication user b, in case jboss not invoke login module , calls local ejb method caller principal a again. after time sending request user b yields desired result (local ejb method call caller principal b). i'm not sure causes problem, resteasy service configuration / session handling or jboss security domain configuration responsible login modules (subject timeout? lack of logout after method being called?)? want configure resteasy force new session new login module invocation local ejb method call every rest request.

web.xml:

<web-app xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="webapp_id" version="2.5">   <display-name>my-app</display-name>   <context-param>     <param-name>resteasy.providers</param-name>     <param-value>org.jboss.resteasy.plugins.providers.jackson.resteasyjackson2provider,com.mycompany.infrastructure.exceptionmapper</param-value>   </context-param>   <context-param>     <param-name>resteasy.resources</param-name>     <param-value>com.mycompany.resource.resource</param-value>   </context-param>   <listener>     <listener-class>org.jboss.resteasy.plugins.server.servlet.resteasybootstrap</listener-class>   </listener>   <servlet>     <servlet-name>my-app-resteasy-servlet</servlet-name>     <servlet-class>org.jboss.resteasy.plugins.server.servlet.httpservletdispatcher</servlet-class>     <init-param>       <param-name>javax.ws.rs.core.application</param-name>       <param-value>com.mycompany.application.application</param-value>     </init-param>   </servlet>   <servlet-mapping>     <servlet-name>my-app-resteasy-servlet</servlet-name>     <url-pattern>/*</url-pattern>   </servlet-mapping>   <security-constraint>     <web-resource-collection>       <web-resource-name>my-app-resteasy-servlet</web-resource-name>       <url-pattern>/*</url-pattern>     </web-resource-collection>     <auth-constraint>       <role-name>user</role-name>     </auth-constraint>   </security-constraint>   <login-config>     <auth-method>basic</auth-method>     <realm-name>myrealm</realm-name>   </login-config>   <security-role>     <role-name>user</role-name>   </security-role> </web-app>

jboss-web.xml

<jboss-web>     <context-root>/path</context-root>     <security-domain>java:/jaas/myrealm</security-domain> </jboss-web>

beans.xml

<beans        xmlns="http://xmlns.jcp.org/xml/ns/javaee"        xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"        xsi:schemalocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"        bean-discovery-mode="all"> </beans>

<application-policy name="myrealm">      <authentication>       <login-module code="com.mycompany.security.usernamepasswordloginmoduleimpl"         flag="required">         <module-option name="password-stacking">usefirstpass</module-option>       </login-module>    </authentication> </application-policy>

resource.java

@path("/resource") @stateless public class resource {      @post     @path("/execute")     @consumes(mediatype.application_json)     @produces(mediatype.application_json)     public responsedto execute(requestdto dto) {         try {             // code         } catch (exception exception) {             // handle         }     } }

i found rough solution:

resource.java:

@path("/resource") @stateless public class resource {      @post     @path("/execute")     @consumes(mediatype.application_json)     @produces(mediatype.application_json)     public responsedto execute(requestdto dto, @context httpservletrequest request) {         try {             // code         } catch (exception exception) {             // handle         } {             if (request != null) {                 request.getsession().invalidate();             }         }     } }

or same result, different implementation (without repeating same code in every method in resource, obviously):

sessioninvalidatorfilter.java

public class sessioninvalidatorfilter implements containerresponsefilter {     @context     private httpservletrequest request;      public void filter(containerrequestcontext requestctx, containerresponsecontext responsectx) throws ioexception {         if ((request != null) && (request.getsession() != null)) {             request.getsession().invalidate();         }     } }

web.xml

<context-param>     <param-name>resteasy.providers</param-name>     <param-value>com.mycompany.infrastructure.filter.sessioninvalidatorfilter</param-value> </context-param>

Trigger

Search This Blog

JBoss AS 5.1.0 GA resteasy application - force login on every request -

Comments

Post a Comment