I have created my first Java EE 7 app with a pure jax-rs front end interface. all is tested and is working fine. Now i want to apply a security layer (role based, applied on resources or methods). I have a clear imagination of what i want at the end (don' know if it makes sense), but i am unsure how to get there (what ingredients to use, in which order). So here is what i want:
- i want to use wildfly as identity provider (wildfly should store user credentials - in a db, encrypted)
- my app is completely rest based, so i need some way to put authentication info into requests (token?!)
- basic auth would be ok (each user must authenticated), form not needed, no self registration needed
- to restrict access to certain resources/ methods i want to use Java EE 7 standards (annotations, interceptors...)
Does this make sense? If yes are there examples or docs that do it the same way or at least very similar? I found jboss-picketlink-quickstarts but this contains many examples and i am not sure which fits best. Do i need picketlink at all?
Since i have a "User" with a "UserRole"(an enum) in my persistence tier i think i need some kind of mapping from roles provided by IDP (Wildfly) and my own - right?
This is more or less what I've done:
User database realm, on standalone.xml:
See database login queries on log, standalone.xml:
Insert password on database: set an SHA256 + HEX Also the inserts on roles are needed.
Set the realm on jboss-web.xml
On web.xml, create the security constraints: