Implementation of secure JAX-RS applications

The IBM® JAX-RS 1.1 runtime environment is driven by a servlet that is derived from the Apache Wink project. The JAX-RS 2.0 runtime environment is driven by a servlet derived from the Apache CXF. Within the WebSphere® Application Server environment, the lifecycle of servlets is managed in the web container. Therefore, the security services that are offered by the web container are applicable to REST resources that are deployed to WebSphere Application Server.

You can define and add security constraints on the REST resources by using the same tools that are used to assemble REST applications. These constraints are captured in the Java EE web deployment descriptor that is associated with your application. The following list describes security definitions that you can include in the deployment descriptor:
  • User authentication when starting REST resources embodied in the application, including
    • HTTP basic authentication.
    • Form login authentication.
  • Authorization control over REST resources as defined by the URL patterns for the resources.
  • Use of SSL for transport when starting REST resources.
  • Programmatic use of the SecurityContext object to determine user identity and roles.
All the security mechanisms that are supported by the web container are applicable to REST resources, including the use of the Kerberos-based SPNEGO authentication mechanism.
For more information on securing JAX-RS applications and resources, see:
Note: In Liberty, the default context root is the name of the WAR file. For more information about options when configuring context roots, see Deploying a web application to Liberty.