Enforcing Basic Authentication with RestEasy & TJWS

Question

We use Resteasy to communicate between multiple backend servers & we want to lock this down so not just anyone can attach a client or browser to the restlet server.

We're using Resteasy 3.04 and as our backend services are numerous but very light-weight an embeddded TJWS webserver.

Example Server code:

public class RestEasySSLBasicAuthenticationServer {

    static TJWSEmbeddedJaxrsServer webServer;

    static class BasicAthenticationSecurityDomain implements SecurityDomain  {

        @Override
        public Principal authenticate(String aUsername, String aPassword) throws SecurityException {
            System.out.println("User:" + aUsername + " Password" + aPassword);

            if (aPassword.equals("password") == false) {
                throw new SecurityException("Access denied to user " + aUsername);
            }

            return null;
        }

        @Override
        public boolean isUserInRoll(Principal aUsername, String aRole) {
            // No role based checks so return true
            return true;
        }

    }

    public static void main(String[] args) throws Exception {

        // Create embedded TJWS web server
        webServer = new TJWSEmbeddedJaxrsServer();

        // Set up SSL connections on server
        webServer.setSSLPort(8081);
        webServer.setSSLKeyStoreFile("K:\\source\\RestEasyTest\\server_localhost.jks");
        webServer.setSSLKeyStorePass("krypton");
        webServer.setSSLKeyStoreType("JKS");

        // Add basic HTTP authentication to the server
        webServer.setSecurityDomain( new BasicAthenticationSecurityDomain() );

        // Add the restlet resource
        webServer.getDeployment().getActualResourceClasses().add(PlayerResource.class);

        // Start the web server
        webServer.start();

        // Run until user presses a key
        System.out.print("Web server started. Press a key to stop...");
        System.in.read();

        // Stop the web server
        webServer.stop();
    }

}

Example client code:

public class RestEasySSLBasicAuthenticationClient {

    public static void main(String[] args) throws Exception {

      // Set up the keystore
        System.setProperty("javax.net.ssl.keyStore", "K:\\source\\RestEasyTest\\client_localhost.jks");
        System.setProperty("javax.net.ssl.keyStoreType", "JKS");
        System.setProperty("javax.net.ssl.keyStorePassword", "krypton");

        // Create a new Restlet client
        Client restletClient = ClientBuilder.newClient();

        // *** Even WITHOUT these credentitials we can access the restlet
        // restletClient.register(new BasicAuthentication("username", "password"));

        // Set up the restlet request target.
        WebTarget request = restletClient.target("https://localhost:8081/player/{id}");
        request = request.resolveTemplate("id", Long.valueOf(1));

        // Build the restlet request
        Invocation invocation = request.request("application/xml").buildGet();

        // Call the restlet and get returned object
        Player result = invocation.invoke( Player.class );

        System.out.println(result.toString());
    }   
}

Using the test client and a registered authentication filter works and as expected I can a 401 access error if I get the password incorrect.

However if no authentication is registered at the client then the server never calls the SecurityDomain check and access is allowed.

How do I enforce a login at the server?

Answer 1

You can ensure all users are authenticated by enabling security on the embedded TJWS web server.

webServer.getDeployment().setSecurityEnabled(true);