Skip to main content

Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

EclipseLink/Release/2.4.0/JPA-RS/Security

JPA-RS does not implement any security within its service methods. Users wishing to use JPA-RS within production application should secure access to the JPA-RS services using standard URL pattern security policies. This page illustrates how this can be done.

Securing JPA-RS in GlassFish

When the JPA-RS library is added to a web applications WEB-INF/lib folder its web-fragment.xml is used to augment the application's web.xml mapping the JAX-RS (Jersey) servlet available. The web application developer can use standard web.xml security configuration to control what URL9s) and HTTP methods can be invoked.

web.xml Example

In this example all access to JPA-RS for GET, PUT, POST, and DELETE are limited to users with the JPA-RS security role.

<!-- Securing JPA-RS  -->
<security-constraint>
	<display-name>JPA-RS Security</display-name>
	<web-resource-collection>
		<web-resource-name>JPARSPermissions</web-resource-name>
		<url-pattern>/persistence/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>JPA-RS</role-name>
	</auth-constraint>
</security-constraint>
<login-config>
	<auth-method>BASIC</auth-method>
	<realm-name>file</realm-name>
</login-config>
<security-role>
	<role-name>JPA-RS</role-name>
</security-role>


GlassFish: sun-web.xml

Within the GlassFish server the additional mapping from Java EE security role to the GlassFish secuity group is required.

<security-role-mapping>
	<role-name>JPA-RS</role-name>
	<group-name>JPA-RS</group-name>
</security-role-mapping>

Back to the top