Security layer #9
Comments
|
I think for role-based security constraints we can already rely on container-managed roles via @javax.annotation.security.* annotations. For fine-grained stuff (e.g. a user should be able to change his/her own profile but not the profile of another user) we might rely on the SecurityContext that JAX-RS2.0 has to offer: https://jersey.java.net/documentation/latest/security.html (documentation of the JAX-RS reference implementation [RI] a.k.a. "Jersey"). Maybe a filter ( https://jersey.java.net/documentation/latest/filters-and-interceptors.html) might be all that is needed for fine-grained access control... |
|
We could also use Spring Security which I already know quite well. But I'll have a closer look into the links you posted - maybe the JAX-RS-solutions are suited well enough. SS would have the disadvantage of the (small) Spring Container overhead - and we would stray from the just-Java EE-path. |
Right now, we only have a very rudimentary user profile entity and no security for our REST interface. That'll have to change soon.
Which security framework for our REST interface should we use?
The text was updated successfully, but these errors were encountered: