All geek questions in one place

API Key Authentication in JAX-RS

We would like to ensure our vacation api using api key. Here are the requirements:

  • For open access services, an api key is required.
  • Private services can only accept calls from the cluster, not the outside world.
  • Each api identifies the user, and the User object must be available for the rest service.

Is there a standard way to do this in a JAX-RS application? (We use Resteasy.)

I read all about filters, interceptors, and basic auth, but I don’t understand what the best approach is.

In an earlier version of the application, we had a roll-up solution in which public services operated on a public port and on private ones in a private port. There was an everyday search for api keys that sets the User object as a variable to the rest service object.

I cannot figure out how to do this using standard JAX-RS.

+6
source share
2 answers

Using a filter to intercept a request

Such authentication can be achieved using ContainerRequestFilter , intercepting requests to your resource methods.

The filter will be used to extract the API key from the request and validate it. If the API key is invalid, the request will be rejected. Otherwise, the request will go to resource methods.

Take a look at the following code snippet. ContainerRequestContext API can be used to retrieve information from an HTTP request:

 @Provider @Priority(Priorities.AUTHENTICATION) public class AuthenticationFilter implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext requestContext) throws IOException { // Extract and validate the API key from the request String apiKey = requestContext.getHeaderString("API-Key"); ... } }

Also see this answer. I wrote some time ago about authentication with tokens in JAX-RS. There you will find many details that may be useful to solve the situation described in your question.

User identification

During the authentication process, you should be able to identify the user making the request. To extend this information to your resource classes / methods, you could:

  • Cancel the SecurityContext and enter it into your resource classes / methods.
  • Use the CDI Event and the producer method to create an object that contains a user ID that can be entered into your resource classes / methods.

See the answer I mentioned above for more details on these approaches.

Associating a filter with some resource classes / methods

By default, filters are global (this means that they are executed for all resource methods of your application). To associate a filter with a subset of methods or resource classes, you can use name binding annotations .

+4
source

Not giving a detailed answer, but simply an offer. Check out CustomInvokers and register invoker for these services. Confirm the api key and enter the error if it is not valid. If an error occurs, your client will receive an error message. The service code will not be called.

For a real security system, please check netflix zuul .

-1
source

Source: https://habr.com/ru/post/978702/

More articles:


All Articles