In this article, we will protect the Jersey 2.x JAX-RS exposed web services using Spring Security. And only authorized users are allowed to access these protected services
Jersey is the most popular amongst Restful web service development. Latest Jersey 2.x version has been developed by Oracle/Glassfish team in accordance with JAX-RS 2.0 specification. Earlier Jersey 1.x version was developed and supported by Oracle/Sun team
Latest Jersey release version is 2.12 see here and look documentation and API for details. We will implement Jersey examples in the following articles based on latest 2.x version
Annotation Used
- @Path (ws.rs.Path)
- @GET (ws.rs.GET)
- @POST (ws.rs.POST)
- @PUT (ws.rs.PUT)
- @DELETE (ws.rs.DELETE)
- @PathParam (ws.rs.PathParam)
- @Consumes (ws.rs.Consumes)
- @Produces (ws.rs.Produces)
- MediaType (ws.rs.core.MediaType)
Technology Used
- Java 1.7
- Eclipse Luna IDE
- Jersey-2.12
- Jersey-spring3-2.12
- Spring framework-4.1.0.RELEASE
- Spring-security-3.2.5.RELEASE
- MySql-connector-java-5.1.32
- Apache Maven 3.2.1
- Apache Tomcat 8.0.54
- Glassfish-4.1
Mavenize or download required jars
Add Jersey-2.12, Jersey-spring3-2.12, Spring-4.1.0.RELEASE, spring-security-3.2.5.RELEASE & mysql-5.1.32 dependencies to pom.xml
<properties> <jersey.version>2.12</jersey.version> <jersey.scope>compile</jersey.scope> <spring.version>4.1.0.RELEASE</spring.version> <spring.security.version>3.2.5.RELEASE</spring.security.version> <mysql.version>5.1.32</mysql.version> <compileSource>1.7</compileSource> <maven.compiler.target>1.7</maven.compiler.target> <maven.compiler.source>1.7</maven.compiler.source> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> </properties> <dependencies> <!-- Jersey core Servlet 2.x implementation --> <dependency> <groupId>org.glassfish.jersey.containers</groupId> <artifactId>jersey-container-servlet-core</artifactId> <version>${jersey.version}</version> <scope>${jersey.scope}</scope> </dependency> <!-- Jersey JSON Jackson (2.x) entity providers support module --> <dependency> <groupId>org.glassfish.jersey.media</groupId> <artifactId>jersey-media-json-jackson</artifactId> <version>${jersey.version}</version> <scope>${jersey.scope}</scope> </dependency> <!-- Jersey extension module providing support for Spring 3 integration --> <dependency> <groupId>org.glassfish.jersey.ext</groupId> <artifactId>jersey-spring3</artifactId> <version>${jersey.version}</version> <scope>${jersey.scope}</scope> <exclusions> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-beans</artifactId> </exclusion> </exclusions> </dependency> <!-- Spring Framework-4.x --> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> <version>${spring.version}</version> </dependency> <!-- Spring Security 3.2.5.RELEASE Framework --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.security.version}</version> </dependency> <!-- MySql-Connector --> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>${mysql.version}</version> </dependency> </dependencies>
Note: Jackson – high performance parser is included as dependencies for JSON support
Folks who aren’t familiar with Maven concepts or don’t require maven for their project, can download the below jars individually from the central repository or maven repository and include them in the classpath
- jersey-container-servlet-core
- javax.ws.rs-api-2.0.1
- jersey-server-2.12
- jersey-common-2.12
- jersey-client-2.12
- jersey-guava-2.12
- javax-annotation-api-1.2
- javax.inject-2.3.0-b10
- hk2-api-2.3.0-b10
- hk2-utils-2.3.0-b10
- aop-alliance-repackaged-2.3.0-b10
- hk2-locator
- javassist-3.18.1-GA
- validation-api-1.1.0.Final
- osgi-resource-locator-1.0.1
- jersey-media-json-jackson
- jackson-jaxrs-base-2.3.2
- jackson-core-2.3.2
- jackson-databind-2.3.2
- jackson-jaxb-json-provider-2.3.2
- jackson-annotation-2.3.2
- jackson-module-jaxb-annotation-2.3.2
- jersey-spring3
- spring-framework-4.1.0.RELEASE
- spring-security-3.2.5.RELEASE
- mysql-connector-java-5.1.32
JAXB – Generating java source files from XSD
Steps to generate java-sources from XML Schema Definition (XSD)
- configure JAXB Maven plugin in pom.xml
- write well-defined XSD for your service
- use maven command “mvn generate-sources” to generate java source files
Configure JAXB Maven plugin
<!-- JAXB plugin to generate-sources from XSD --> <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>jaxb2-maven-plugin</artifactId> <version>1.6</version> <executions> <execution> <goals> <goal>xjc</goal><!-- xjc/generate --> </goals> <configuration> <outputDirectory>${basedir}/generated/java/source</outputDirectory> <schemaDirectory>${basedir}/src/main/resources/com/jersey/series/spring/security/service/entities</schemaDirectory> <schemaFiles>*.xsd</schemaFiles> <schemaLanguage>XMLSCHEMA</schemaLanguage> <extension>true</extension> <args> <arg>-XtoString</arg> </args> <plugins> <plugin> <groupId>org.jvnet.jaxb2_commons</groupId> <artifactId>jaxb2-basics</artifactId> <version>0.6.4</version> </plugin> </plugins> </configuration> </execution> </executions> </plugin>
Book.xsd
Below XSD contains two elements with name “BookType” and “BookListType”
- BookType contains four attributes namely bookId, bookName, author, category
- BookListType which returns list of BookType
<?xml version="1.0" encoding="UTF-8"?> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://benchresources.in/cdm/Book" xmlns:tns="http://benchresources.in/cdm/Book" elementFormDefault="qualified"> <!-- book object with four attributes --> <xsd:element name="BookType"> <xsd:complexType> <xsd:sequence> <xsd:element name="bookId" type="xsd:int" /> <xsd:element name="bookName" type="xsd:string" /> <xsd:element name="author" type="xsd:string" /> <xsd:element name="category" type="xsd:string" /> </xsd:sequence> </xsd:complexType> </xsd:element> <!-- an object to contain lists of books referencing above Book object --> <xsd:element name="BookListType"> <xsd:complexType> <xsd:sequence> <xsd:element ref="tns:BookType" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:schema>
Run mvn generate-sources
Look at the generated java source files in the generated folder
BookType.java
package in.benchresources.cdm.book; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlElement; import javax.xml.bind.annotation.XmlRootElement; import javax.xml.bind.annotation.XmlType; @XmlAccessorType(XmlAccessType.FIELD) @XmlType(name = "", propOrder = { "bookId", "bookName", "author", "category" }) @XmlRootElement(name = "BookType") public class BookType { protected int bookId; @XmlElement(required = true) protected String bookName; @XmlElement(required = true) protected String author; @XmlElement(required = true) protected String category; public int getBookId() { return bookId; } public void setBookId(int value) { this.bookId = value; } public String getBookName() { return bookName; } public void setBookName(String value) { this.bookName = value; } public String getAuthor() { return author; } public void setAuthor(String value) { this.author = value; } public String getCategory() { return category; } public void setCategory(String value) { this.category = value; } }
BookListType.java
package in.benchresources.cdm.book; import java.util.ArrayList; import java.util.List; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlElement; import javax.xml.bind.annotation.XmlRootElement; import javax.xml.bind.annotation.XmlType; @XmlAccessorType(XmlAccessType.FIELD) @XmlType(name = "", propOrder = { "bookType" }) @XmlRootElement(name = "BookListType") public class BookListType { @XmlElement(name = "BookType") protected List<BookType> bookType; public List<BookType> getBookType() { if (bookType == null) { bookType = new ArrayList<BookType>(); } return this.bookType; } }
Directory Structure
Before moving on, let us understand the directory/package structure once you create project in Eclipse IDE
Maven has to follow certain directory structure
- src/test/java –> test related files, mostly JUnit test cases
- src/main/java –> create java source files under this folder
- src/main/resources –> all configuration files placed here
- src/test/resources –> all test related configuration files placed here
- Maven Dependencies or Referenced Libraries –> includes jars in the classpath
- WEB-INF under webapp –> stores web.xml & other configuration files related to web application
Project Structure (Package Explorer view in Eclipse)
Jars Libraries Used in the Project (Maven Dependencies)
Web application
For any web application, entry point is web.xml which describes how the incoming http requests are served / processed. Further, it describes about the global-context and local-context param (i.e.; <context-param> & <init-param>) for loading files particular to project requirements & contains respective listener
With this introduction, we will understand how we configured web.xml for Jersey JAX-RS Restful web service
web.xml (the entry point –> under WEB-INF)
This web.xml file describes,
- Like any JEE web framework register “org.glassfish.jersey.servlet.ServletContainer” with servlet container
- register spring listener springframework.web.context.ContextLoaderListener
- http requests with URL pattern “/rest/*” will be sent to the registered servlet called “jersey-servlet” i.e.; (org.glassfish.jersey.servlet.ServletContainer)
- Set <init-param> with <param-name> as “jersey.config.server.provider.packages” and <param-value> describing the qualified package name of the JAX-RS annotated Resource/Provider classes. In this example, “com.jersey.series.spring.security.service”
- <context-param> with its attributes describes the location of the “spring-jersey2.xml” and “spring-security.xml” files from where it has to be loaded. We will discuss briefly about these files
- <welcome-file-list> files under this tag is the start-up page
- Servlet filter called “DelegatingFilterProxy” with url-pattern /* intercepts incoming http requests and enter Spring Security framework for security checks to authenticate users
- “spring-security.xml”describes which URL needs to be intercepted along with their roles/credentials
- NOTE:don’t change this name “springSecurityFilterChain”
web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <display-name>Jersey-Spring-Security</display-name> <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping> <!-- Spring Listener --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- Jersey Servlet --> <servlet> <servlet-name>jersey-servlet</servlet-name> <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class> <!-- Register resources and providers --> <init-param> <param-name>jersey.config.server.provider.packages</param-name> <param-value>com.jersey.series.spring.security.service</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>jersey-servlet</servlet-name> <url-pattern>/rest/*</url-pattern> </servlet-mapping> <!-- loading Spring Context for registering beans with ApplicationContext --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> WEB-INF/spring-jersey2.xml, WEB-INF/spring-security.xml </param-value> </context-param> <!-- welcome file --> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> </web-app>
Spring Application Context file
This Spring Application Context file describes,
- <context:annotation-config /> to activate annotation on the registered beans with application context
- <context:component-scan base-package=”” /> tag scans all classes & sub-classes under the value of base-package attribute and register them with the Spring container
- bean with id=”dataSource” defines values for driverClassName, url, username and password for MySql database
spring-jersey2.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> <!-- to activate annotations in beans already registered in the ApplicationContext --> <context:annotation-config /> <!-- scans packages to find and register beans within the application context --> <context:component-scan base-package="com.jersey.series.spring.security" /> <!-- MySql dataSource configuration --> <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName" value="com.mysql.jdbc.Driver" /> <property name="url" value="jdbc:mysql://localhost:3306/benchresources" /> <property name="username" value="root" /> <property name="password" value="" /> </bean> </beans>
MySql Database
To move user credentials and their ROLES, you have to create tables and insert records. Let’s do it
Create USERS table
create table users ( username varchar(50) not null primary key, password varchar(60) not null, enabled boolean not null ) engine = InnoDb;
Create AUTHORITIES table
create table authorities ( username varchar(50) not null, authority varchar(50) not null, foreign key (username) references users (username), unique index authorities_idx_1 (username, authority) ) engine = InnoDb;
Let’s insert records in both tables
# INSERT records into USERS table
INSERT INTO `users`(`username`, `password`, `enabled`) VALUES ('Arun', '$2a$10$BwyjwGRWc4gMk2Y1e2jzie.FVYrfgxV0.aHgdU1VM6E.Rf0ZYoaWa, 1); INSERT INTO `users`(`username`, `password`, `enabled`) VALUES ('Jeremy', '$2a$10$EHmzwTcEFS1IUZ.hhsMw.uZvG2uwH7fOS1nh/fcIiAvmXg3LwdVP.', 1); INSERT INTO `users`(`username`, `password`, `enabled`) VALUES ('Jing', '$2a$10$twiIh66bjFBWBYZPWOrc1uS/KRCdT61Z5wFdpJGdeHwY2HeCZ.J.a, 1);
# INSERT records into AUTHORITIES table
INSERT INTO authorities (username, authority) VALUES ('Arun', 'ROLE_ADMIN'); INSERT INTO authorities (username, authority) VALUES ('Jeremy', 'ROLE_USER'); INSERT INTO authorities (username, authority) VALUES ('Jing', 'ROLE_USER');
How to get hashed or encoded password using BCryptPasswordEncoder
PasswordHashing.java
package test.jersey.series.spring.security.hashing; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; public class PasswordHashing { // http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#ns-getting-started public static void main(String[] args) { String[] originalPassword = {"arun123", "jeremy123", "jing123"}; PasswordEncoder encoder = new BCryptPasswordEncoder(); String hashedPassword = ""; System.out.println("ORIGINAL \t HASHED"); System.out.println("=========\t======="); for(String password : originalPassword){ hashedPassword = encoder.encode(password); System.out.println(password + "\t\t" + hashedPassword); } } }
Result in console
ORIGINAL HASHED ========= ======= arun123 $2a$10$BwyjwGRWc4gMk2Y1e2jzie.FVYrfgxV0.aHgdU1VM6E.Rf0ZYoaWa jeremy123 $2a$10$EHmzwTcEFS1IUZ.hhsMw.uZvG2uwH7fOS1nh/fcIiAvmXg3LwdVP. jing123 $2a$10$twiIh66bjFBWBYZPWOrc1uS/KRCdT61Z5wFdpJGdeHwY2HeCZ.J.a
Spring Security Configuration
This Spring Security configuration file describes the security URL to be intercepted and login details for that particular role
- First element <security:http /> with pattern describes which are all incoming http requests needs to be intercepted
- Second element with <security:authentication-manager /> defines the credentials (username/password) for every role. For example, ROLE_ADMIN, ROLE_USER, etc
- <security:password-encoder ref=“bcryptPasswordEncoder” /> refers hashing algorithm used for this application, which is BCryptPasswordEncoder(springframework.security.crypto.bcrypt.BCryptPasswordEncoder)
- bcryptPasswordEncoder bean defines encoding algorithm with two constructor-arg viz. name & strength. Default strength value is 10
- <security:jdbc-user-service /> defines two queries to authenticate user credentials along with their ROLES, interacting with dataSource configured in the spring-jersey2.xml which is MySql database in our example
spring-security.xml
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd"> <security:http auto-config="true"> <security:intercept-url pattern="/rest/**" access="ROLE_USER" /> </security:http> <security:authentication-manager> <security:authentication-provider> <security:password-encoder ref="bcryptPasswordEncoder" /> <security:jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username, password, enabled from users where username=?" authorities-by-username-query="select username, authority from authorities where username=? " /> </security:authentication-provider> </security:authentication-manager> <beans:bean id="bcryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"> <beans:constructor-arg name="strength" value="10" /> </beans:bean> </beans:beans>
Let’s see coding in action
URL Pattern
Http url for any common web application is http://<server>:<port>/<root-context>/<from_here_application_specific_path>
In our example, we are going to deploy the war into Tomcat 8.0 server so our server and port are localhost and 8080 respectively. Context root is the project name i.e.; Jersey-Spring-Security. Initial path for this application is http://localhost:8080/Jersey-Spring-Security
We have configured “/rest/*” as url-pattern for the “jersey-servlet” servlet in web.xml and at class-level path configured is “/bookservice” using @Path annotation. Next respective path for each method annotated with @Path (method-level)
Book Service interface
Defines basic CRUD operations for Book Service
NOTE: It’s always a good programming practice to do code-to-interface and have its implementation separately
IBookService.java
package com.jersey.series.spring.security.service; import in.benchresources.cdm.book.BookListType; import in.benchresources.cdm.book.BookType; public interface IBookService { // Basic CRUD operations for Book Service public String createOrSaveBookInfo(BookType bookType); public BookType getBookInfo(int bookId); public String updateBookInfo(BookType bookType); public String deleteBookInfo(int bookId); public BookListType getAllBookInfo(); }
Book Service implementation
Implements above interface
Defines simple CURD operations
- @POST – create/inserts a new resource (adds new book information)
- @GET – read/selects internal resource representation based on the bookId
- @PUT – update/modifies an internal resource representation (modify book)
- @DELETE – delete/removes a resource (delete book)
- @GET – retrieves all books (get all books information)
Let’s discuss @Produces, @Consumes and MediaType
@Consumes
Defines which MIME type is consumed by this method. For this example, exposed methods supports both XML & JSON formats i.e.; methods are annotated with @Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
Note: When Content-Type is not specified in the header, then by default it expects request body in “application/x-www-form-urlencoded”. So, Content-Type needs to be set/sent in the header
@Produces
Defines which MIME type it will produce. For this example, exposed methods produce response in both XML & JSON formats i.e.; methods are annotated with @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
Note: By default, when invoked it returns the response in XML as it is the first string in the array. So, to get the response in the JSON format then set accept=”application/json” in the header
Most widely used Media Types are
- APPLICATION_XML,
- APPLICATION_JSON,
- TEXT_PLAIN,
- TEXT_XML,
- APPLICATION_FORM_URLENCODED,
- etc
Note: Jersey doesn’t inherit JAX-RS annotations. So we are annotating Resource/Provider classes and then defining qualified package name in web.xml
BookServiceImpl.java
package com.jersey.series.spring.security.service; import in.benchresources.cdm.book.BookListType; import in.benchresources.cdm.book.BookType; import javax.ws.rs.Consumes; import javax.ws.rs.DELETE; import javax.ws.rs.GET; import javax.ws.rs.POST; import javax.ws.rs.PUT; import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.core.MediaType; @Path("/bookservice") public class BookServiceImpl implements IBookService { // Basic CRUD operations for Book Service // http://localhost:8080/Jersey-Spring-Security/rest/bookservice/addbook @POST @Path("addbook") @Consumes({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML}) @Produces(MediaType.APPLICATION_FORM_URLENCODED) public String createOrSaveBookInfo(BookType bookType) { // get book information from formal arguments and inserts into database & return bookId (primary_key) return "New Book information saved successfully with Book_ID " + bookType.getBookId(); } // http://localhost:8080/Jersey-Spring-Security/rest/bookservice/getbook/65235 @GET @Path("getbook/{id}") @Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Produces({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML}) public BookType getBookInfo(@PathParam("id") int bookId) { // retrieve book information based on the id supplied in the formal argument BookType bookType = new BookType(); bookType.setBookId(bookId); bookType.setBookName("Industrial Microbiology and Biotechnology"); bookType.setAuthor("Arnold L.Demain"); bookType.setCategory("Microbiology"); return bookType; } // http://localhost:8080/Jersey-Spring-Security/rest/bookservice/updatebook @PUT @Path("updatebook") @Consumes({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML}) @Produces(MediaType.APPLICATION_FORM_URLENCODED) public String updateBookInfo(BookType bookType) { // update book info & return SUCCESS message return "Book information updated successfully"; } // http://localhost:8080/Jersey-Spring-Security/rest/bookservice/deletebook/10001 @DELETE @Path("deletebook/{id}") @Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Produces(MediaType.APPLICATION_FORM_URLENCODED) public String deleteBookInfo(@PathParam("id") int bookId) { // delete book info & return SUCCESS message return "Book information with Book_ID " + bookId + " deleted successfully"; } // http://localhost:8080/Jersey-Spring-Security/rest/bookservice/getallbook @GET @Path("getallbook") @Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Produces({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML}) public BookListType getAllBookInfo() { // create a object of type BookListType which takes book objects in its list BookListType bookListType = new BookListType(); BookType bookOne = new BookType(); bookOne.setBookId(65912); bookOne.setBookName("Essential Microbiology"); bookOne.setAuthor("Stuart Hogg"); bookOne.setCategory("Microbiology"); bookListType.getBookType().add(bookOne); // add to bookListType BookType bookTwo = new BookType(); bookTwo.setBookId(65988); bookTwo.setBookName("Environmental Microbiology"); bookTwo.setAuthor("Charles P. Gerba"); bookTwo.setCategory("Microbiology"); bookListType.getBookType().add(bookTwo); // add to bookListType return bookListType; } }
Tomcat-8.0.12 Deployment
- Run maven command to build the war: mvn clean install (use command prompt or integrated maven in eclipse IDE
- Copy(ctrl+c) the war file from the target folder
- Paste(ctrl+v) it into apache tomcat (webapps folder)
- Start the tomcat server
Glassfish-4.1 Deployment
- Run maven command to build the war: mvn clean install (use command prompt or integrated maven in eclipse IDE
- Once you see “BUILD SUCCESS” after running maven command, keep the war file ready to be deployed
- There are two ways to deploy war file into Glassfish-4.1
- Online
- Offline
- Click here to understand above deployments process in detail
Test the service !!
Testing
There are many ways to do testing
- Access html page from web browser
- Copy the URL of GET service into web browser
- Advanced REST client from Google Chrome
- Rest client in Mozilla Firefox Add On
- Write your own client for example, Java client using improved CloseableHttpClient from Apache
- JDK’s in-built classes like HttpURLConnection
- Using Client, WebTarget from core JAX-RS classes javax.ws.rs.client
1. Using RestClient from Mozilla Firefox Add-On
Every service tested setting up header parameters “accept” & “Content-Type” in the request. First for JSON format and then XML format
Before proceeding with testing of every service, you must provide correct credentials as spring-security will intercept request http url with pattern “/rest/**”. See spring-security.xml file for details
getAllBook() service
Output
{ "BookType": [ { "bookId": 65912, "bookName": "Essential Microbiology", "author": "Stuart Hogg", "category": "Microbiology" }, { "bookId": 65988, "bookName": "Environmental Microbiology", "author": "Charles P. Gerba", "category": "Microbiology" } ] }
Similarly, we can test other exposed services using Mozilla Rest client
2. Java client
Uses Client, ClientBuilder, WebTarget and Response classes from core JAX-RS package javax.ws.rs.client for invoking Restful web service
Note: Commented lines will help out us to try (set) various http request header parameters
TestBookService.java
package test.jersey.series.spring.security.service; import javax.ws.rs.client.Client; import javax.ws.rs.client.ClientBuilder; import javax.ws.rs.client.Entity; import javax.ws.rs.client.Invocation; import javax.ws.rs.client.Invocation.Builder; import javax.ws.rs.client.WebTarget; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import org.glassfish.jersey.client.ClientConfig; import org.glassfish.jersey.internal.util.Base64; public class TestBookService { public static void main(String[] args) { // encoding with Base64 and passing as authorization String userName = "jeremy"; String password = "jeremy123"; String authString = userName + ":" + password; byte[] authEncBytes = Base64.encode(authString.getBytes()); String authorization = new String(authEncBytes); // setting & invoking first service getBook/10001 System.out.println("Invoking and executing getBook service for book id 10001"); String httpGetURL = "http://localhost:8080/Jersey-Spring-Security/rest/bookservice/getbook/10001"; String responseStringGet = testBookServiceForGetRequest(httpGetURL, authorization); System.out.println("GET >> Response String : " + responseStringGet); // setting & invoking second service addBook with XML request System.out.println("\n\nInvoking and executing addBook service with request XML"); String httpPostURL = "http://localhost:8080/Jersey-Spring-Security/rest/bookservice/addbook"; String requestString = "{" + " \"bookId\": 10055, " + " \"bookName\": \"Clinical Veterinary Microbiology\"," + " \"author\": \"Patrick Quinn\"," + " \"category\": \"Microbiology\"" + "}"; String responseStringPost = testBookServiceForPostRequest(httpPostURL, requestString, authorization); System.out.println("POST >> Response String : " + responseStringPost); } /** * * @param httpURL * @return */ public static String testBookServiceForGetRequest(String httpURL, String authorization){ // local variables ClientConfig clientConfig = null; Client client = null; WebTarget webTarget = null; Invocation.Builder invocationBuilder = null; Response response = null; int responseCode; String responseMessageFromServer = null; String responseString = null; try{ // invoke service after setting necessary parameters clientConfig = new ClientConfig(); client = ClientBuilder.newClient(clientConfig); // client.property("Content-Type", MediaType.APPLICATION_FORM_URLENCODED); // client.property("accept", MediaType.APPLICATION_XML); webTarget = client.target(httpURL); // invoke service invocationBuilder = webTarget.request(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_XML); invocationBuilder.header("Authorization", "Basic " + authorization); response = invocationBuilder.get(); // get response code responseCode = response.getStatus(); System.out.println("Response code: " + responseCode); if (response.getStatus() != 200) { throw new RuntimeException("Failed with HTTP error code : " + responseCode); } // get response message responseMessageFromServer = response.getStatusInfo().getReasonPhrase(); System.out.println("ResponseMessageFromServer: " + responseMessageFromServer); // get response string responseString = response.readEntity(String.class); } catch(Exception ex) { ex.printStackTrace(); } finally{ // release resources, if any response.close(); client.close(); } return responseString; } /** * * @param httpURL * @param requestString * @return */ public static String testBookServiceForPostRequest(String httpURL, String requestString, String authorization) { // local variables ClientConfig clientConfig = null; Client client = null; WebTarget webTarget = null; Builder builder = null; Response response = null; int responseCode; String responseMessageFromServer = null; String responseString = null; try{ // invoke service after setting necessary parameters clientConfig = new ClientConfig(); client = ClientBuilder.newClient(clientConfig); // client.property("Content-Type", MediaType.APPLICATION_FORM_URLENCODED); // client.property("accept", MediaType.APPLICATION_JSON); webTarget = client.target(httpURL); // invoke service builder = webTarget .request(MediaType.APPLICATION_FORM_URLENCODED) // set Content-Type .header("Authorization", "Basic " + authorization) // authorization using BCrpyt .accept(MediaType.APPLICATION_JSON); // set accept response = builder.post(Entity.entity(requestString, MediaType.APPLICATION_JSON)); // get response code responseCode = response.getStatus(); System.out.println("Response code: " + responseCode); if (response.getStatus() != 200) { throw new RuntimeException("Failed with HTTP error code : " + responseCode); } // get response message responseMessageFromServer = response.getStatusInfo().getReasonPhrase(); System.out.println("ResponseMessageFromServer: " + responseMessageFromServer); // get response string responseString = response.readEntity(String.class); } catch(Exception ex) { ex.printStackTrace(); } finally{ // release resources, if any response.close(); client.close(); } return responseString; } }
Output in console
Invoking and executing getBook service for book id 10001 Response code: 200 ResponseMessageFromServer: OK GET >> Response String : <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <BookType xmlns="http://benchresources.in/cdm/Book"> <bookId>10001</bookId> <bookName>Industrial Microbiology and Biotechnology</bookName> <author>Arnold L.Demain</author> <category>Microbiology</category> </BookType> Invoking and executing addBook service with request XML Response code: 200 ResponseMessageFromServer: OK POST >> Response String : New Book information saved successfully with Book_ID 10055
Conclusion: With Spring-Security framework, we can protect the exposed web services and only authenticated & authorized users can access the services with correct credentials. Also, with hashing/encoding it’s a big advantage to protect the password
Download project
Jersey-2x-Spring-Security (15kB)
Happy Coding !!
Happy Learning !!