I'd like to annotate all of my JAX-RS Resources with some sort of "roles" attribute, that will be read through the context by an access control filter. An example of such a JAX-RS Resource is (psuedo):
@Path("foo")
public class FooResource {
@GET
@Context(roles = "admin,user")
public Response foo() {
return Response.noContent().build();
}
}
Thus, the AccessControlFilter would have access to the resource-specific "roles" value:
public class AccessControlFilter {
@Override
public void filter(ContainerRequestContext context) throws IOException {
String accessToken = accessToken(context);
String roles = context.getContext("roles");
// ... validate access Token against roles ...
}
@Nullable
private static String accessToken(ContainerRequestContext context) {
Map<String, Cookie> cookies = context.getCookies();
Cookie accessTokenCookie = cookies.get("access_token");
if (accessTokenCookie != null) {
return accessTokenCookie.getValue();
}
return null;
}
}
I've been digging around:
- I see something of an implementation in the Jersey docs Example 16.1. Using SecurityContext for a Resource Selection, however I'm looking for a more vanilla API to build simple access control on.
- Specifying Authorized Users by Declaring Security Roles
- Example 16.6. Applying javax.annotation.security to JAX-RS resource methods.
- How to access Jersey resource secured by @RolesAllowed
Just inject
ResourceInfo
into the filter class. From there you can get the resourceMethod
. Then just use some reflection to get the annotation.