Getting started securing a Jax-Rs webapp in Wildfly

Question

I have created my first Java EE 7 app with a pure jax-rs front end interface. all is tested and is working fine. Now i want to apply a security layer (role based, applied on resources or methods). I have a clear imagination of what i want at the end (don' know if it makes sense), but i am unsure how to get there (what ingredients to use, in which order). So here is what i want:

• i want to use wildfly as identity provider (wildfly should store user credentials - in a db, encrypted)
• my app is completely rest based, so i need some way to put authentication info into requests (token?!)
• basic auth would be ok (each user must authenticated), form not needed, no self registration needed
• to restrict access to certain resources/ methods i want to use Java EE 7 standards (annotations, interceptors...)

Does this make sense? If yes are there examples or docs that do it the same way or at least very similar? I found jboss-picketlink-quickstarts but this contains many examples and i am not sure which fits best. Do i need picketlink at all?

Since i have a "User" with a "UserRole"(an enum) in my persistence tier i think i need some kind of mapping from roles provided by IDP (Wildfly) and my own - right?

Answer 1

This is more or less what I've done:

• User database realm, on standalone.xml:

          <security-domain name="THE_Realm" cache-type="default">
              <authentication>
                  <login-module code="Database" flag="required">
                      <module-option name="dsJndiName" value="java:/jdbc/risk_ds"/>
                      <!--module-option name="principalsQuery" value="SELECT encode(pass, 'hex') as 'Password' FROM user WHERE username = ?"/-->
                      <module-option name="principalsQuery" value="SELECT pass as 'Password' FROM user WHERE username = ?"/>
                      <module-option name="rolesQuery" value="select role as 'Role', 'Roles' from user_role WHERE username = ?"/>
                      <module-option name="hashAlgorithm" value="SHA-256"/>
                      <module-option name="hashEncoding" value="hex"/>
                  </login-module>
              </authentication>
          </security-domain>
  

• See database login queries on log, standalone.xml:

      <logger category="org.jboss.security">
          <level name="TRACE"/>
      </logger>
  

• Insert password on database: set an SHA256 + HEX Also the inserts on roles are needed.

  insert into user (username, password) 
      set ('the_name', sha2('the_password',256))
  

• Set the realm on jboss-web.xml

     <?xml version="1.0" encoding="UTF-8"?>
     <jboss-web>
         <security-domain>THE_Realm</security-domain>
     </jboss-web>
  

• On web.xml, create the security constraints:

      <security-constraint>
          <web-resource-collection>
              <web-resource-name>Secure Content</web-resource-name>
              <url-pattern>/the_path/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
              <role-name>ROLE_USER</role-name>
          </auth-constraint>
      </security-constraint>
  
      <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>THE_Realm</realm-name>
       </login-config>
  
  
      <security-role>
          <description>The role required to access restricted content </description>
          <role-name>ROLE_USER</role-name>
      </security-role>