Entity Data Filtering Role-based Entity Filtering using security annotations

This example demonstrates how to use entity filtering feature together with security annotations (from javax.annotation.security package) and how to apply them on domain classes as well as on JAX-RS resource classes or JAX-RS resource methods.

In addition to domain classes and JAX-RS resources (with security annotations applied) there is also one (pre-matching) container request filter, SecurityRequestFilter. The filter sets security context for each incoming request as if the request was invoked by a user in role "manager".

The full description how Entity Data Filtering can be found in Jersey User Guide, chapter Entity Data Filtering. Sections relevant to this example (describing this exact example) are:

• Enabling and configuring Entity Filtering in your application
• Role-based Entity Filtering using (javax.annotation.security) annotations

Contents

The mapping of the URI path space is presented in the following table:

URI path	Resource class	HTTP methods	Allowed values	Notes
/restricted-resource/denyAll	RestrictedResource	GET	N/A	@DenyAll annotation used - returns HTTP 403, Forbidden response
/restricted-resource/permitAll	RestrictedResource	GET	N/A	@PermitAll annotation used Role-based view on RestrictedEntity class - permitAll, simpleField
/restricted-resource/rolesAllowed	RestrictedResource	GET	N/A	@RolesAllowed({"manager"}) annotation used, user in role "manager" Role-based view on RestrictedEntity class - permitAll, simpleField, mixedField.managerField
/unrestricted-resource	UnrestrictedResource	GET	N/A	No security annotation used, user in role "manager" Role-based view on RestrictedEntity class - permitAll, simpleField, mixedField.managerField

Application is based on Grizzly container (see App). Everything needed (resources/providers) is registered in SecurityEntityFilteringApplication.

Running the Example

Run the example as follows:

mvn clean package exec:java

This deploys current example using Grizzly. You can access the application at:

• http://localhost:8080/unrestricted-resource
• http://localhost:8080/restricted-resource/denyAll
• http://localhost:8080/restricted-resource/permitAll
• http://localhost:8080/restricted-resource/rolesAllowed
• http://localhost:8080/restricted-resource/runtimeRolesAllowed?roles=manager,user

Using Jackson instead of MOXy

This examples uses by default Entity Data Filtering feature together with MOXy. To switch MOXy JSON provider to Jackson (2.x) JSON provider simply

• comment registration of MOXy ContextResolver, and
  register(new MoxyJsonConfig().setFormattedOutput(true).resolver())
• uncomment registration of JacksonFeature
  register(JacksonFeature.class)

in SecurityEntityFilteringApplication class.