Scope of a restful webservice(request,session,application)

Question

What is the scope of a rest-full application . Actually I want to create a Login module , so that only after succeeding the authentication can access next web-service .

Answer 1

here it is.. JAX-RS root resource classes are managed in the request scope. so rest ful webservice casses are by default request scoped,and and no annotations are required for specifying the scope.Any way,CDI(Context or dipendency injection) managed beans annotated with @RequestScoped or @ApplicationScoped can be converted to JAX-RS resource classes.

Answer 2

Here's an example of how to use declarative container managed security for a Java web application:

Add contraint to force the usage of HTTPS

<security-constraint>
    <web-resource-collection>
        <web-resource-name>SSL Secured WebService</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
    </user-data-constraint>
</security-constraint>

Prevent non administrative users from insert, update and delete of resurces located in: /services/products/*

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Authenticated administrators only</web-resource-name>
        <url-pattern>/services/products/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Enforce basic authentication

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>BookStore-Authentication-REALM</realm-name>
</login-config>

Define the security role ADMIN

<security-role>
    <role-name>ADMIN</role-name>
</security-role>

Further more you will need to create a custom DB Realm, which knows, where all the users and passwords are located in database. This Realm needs to be mapped to this application. Each application server may use its own shema for hwo this is done. Below there is an example for the JBoss AS 7.1

Create a jboss-web.xml file within the WEB-INF folder, which contains the following content.

<?xml version="1.0" encoding="UTF-8"?>
<jboss>
    <security-domain>RealmName</security-domain>
</jboss>

This delcarative security may not suite all your restriction requirements, since the usage of the <ulr-patter> expressions is very limited. In this case you might need to use programmatic security. For more information please have a look at Oracle's documentation site