From 0c55c54cb716336dc9862964064827997c5b2a40 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Tue, 15 May 2018 10:10:19 +0100 Subject: [PATCH] Document how to use Jersey with Spring Security's method security Closes gh-12995 --- spring-boot-docs/src/main/asciidoc/howto.adoc | 24 +++++++++ .../JerseySetStatusOverSendErrorExample.java | 53 +++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 spring-boot-docs/src/main/java/org/springframework/boot/jersey/JerseySetStatusOverSendErrorExample.java diff --git a/spring-boot-docs/src/main/asciidoc/howto.adoc b/spring-boot-docs/src/main/asciidoc/howto.adoc index 2c4e352671..9d0a6e4036 100644 --- a/spring-boot-docs/src/main/asciidoc/howto.adoc +++ b/spring-boot-docs/src/main/asciidoc/howto.adoc @@ -1485,6 +1485,30 @@ that is compatible with Thymeleaf 3.0. +[[howto-jersey]] +== Jersey + + + +[[howto-jersey-spring-security]] +=== Secure Jersey endpoints with Spring Security +Spring Security can be used to secure a Jersey-based web application in much the same +way as it can be used to secure a Spring MVC-based web application. However, if you want +to use Spring Security's method-level security with Jersey, you must configure Jersey to +use `setStatus(int)` rather `sendError(int)`. This prevents Jersey from committing the +response before Spring Security has had an opportunity to report an authentication or +authorization failure to the client. + +The `jersey.config.server.response.setStatusOverSendError` must be set to `true` on the +application's `ResourceConfig` bean, as shown in the following example: + +[source,java,indent=0] +---- +include::{code-examples}/jersey/JerseySetStatusOverSendErrorExample.java[tag=resource-config] +---- + + + [[howto-http-clients]] == HTTP clients diff --git a/spring-boot-docs/src/main/java/org/springframework/boot/jersey/JerseySetStatusOverSendErrorExample.java b/spring-boot-docs/src/main/java/org/springframework/boot/jersey/JerseySetStatusOverSendErrorExample.java new file mode 100644 index 0000000000..6cda7b2f1e --- /dev/null +++ b/spring-boot-docs/src/main/java/org/springframework/boot/jersey/JerseySetStatusOverSendErrorExample.java @@ -0,0 +1,53 @@ +/* + * Copyright 2012-2018 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.boot.jersey; + +import java.util.Collections; + +import javax.servlet.http.HttpServletResponse; + +import org.glassfish.jersey.server.ResourceConfig; + +import org.springframework.stereotype.Component; + +/** + * Example configuration for a Jersey {@link ResourceConfig} configured to use + * {@link HttpServletResponse#setStatus(int)} rather than + * {@link HttpServletResponse#sendError(int)}. + * + * @author Andy Wilkinson + */ +public class JerseySetStatusOverSendErrorExample { + + // tag::resource-config[] + @Component + public class JerseyConfig extends ResourceConfig { + + public JerseyConfig() { + register(Endpoint.class); + setProperties(Collections.singletonMap( + "jersey.config.server.response.setStatusOverSendError", true)); + } + + } + // end::resource-config[] + + static class Endpoint { + + } + +}