|
|
|
|
|
The REST Policy Invoker bundle registers a global JAX-RS request filter as OSGi service under javax.ws.rs.container.ContainerRequestFilter interface which configures an org.glassfish.jersey.server.SubjectSecurityContext for all HTTP requests processed by Jersey JAX-RS container. The SubjectSecurityContext interface is a Jersey-specific extension of the standard javax.ws.rs.core.SecurityContext interface which allows establishing a subject before a resource method or a sub-resource locator is called.
The default implementation of the SubjectSecurityContext leverages PolicyAdmin in order to determine if the remote user (subject) associated with the HTTP request has the permissions required to invoke the corresponding REST operation.
Registering Bundle
The service is registered by the REST Policy Invoker Bundle, which secures the JSON-RPC method calls based on configuration on the Policy Admin Service. It ensures that the remote service is called within the security context associated with the currently logged user.
The default implementation of the SubjectSecurityContext relies on the presence of org.osgi.service.http.authentication.remote.user attribute in the HTTP requests context in order to identify the remote user and associate it with a valid entity in the OSGi User Admin service which correlates to an identity of type useradmin in the Policy Admin service. If attribute org.osgi.service.http.authentication.remote.user is not present in the HTTP session or its value does not correlate to a valid useradmin identity, then the default implementation will not work and a custom implementation must be provided instead.