JAX-RS Spring Security Demo 
===========================

The demo shows how to use Spring Security to secure a JAXRS-based RESTful service.
 
Two approaches toward securing a service are shown :
- using Spring Security @Secured annotations
- using AspectJ pointcut expressions

Additionally, the JAXRS annotations inheritance is demonstrated, from interface and abstract class 
definitions.




Building and running the demo using maven
---------------------------------------

From the base directory of this sample (i.e., where this README file is
located), the maven pom.xml file can be used to build and run the demo. 


Using either UNIX or Windows:

  mvn install
  mvn -Pserver  (from one command line window)
  mvn -Pclient  (from a second command line window)
    

To remove the target dir, run "mvn clean".



What happens when a demo is run
-------------------------------

The demo web application located in a webapp folder is configured for two users, fred and bob, be able to
access various methods of a customer service bean. 

Fred is in both ROLE_CUSTOMER and ROLE_ADMIN roles, while Bob is in the ROLE_CUSTOMER role only.
After the server starts, the client is run and it's shown that Fred can access all the methods
while Bob can access only those which ROLE_CUSTOMER users are permitted to. 

By default, the demo is configured to use AspectJ pointcut expressions to apply ACL rules to a service bean.
Please see webapp/WEB-INF/beans.xml as well as src/demo/jaxrs/service.

demo.jaxrs.service.CustomerServiceImpl bean implements CustomerService interface. AspectJ expressions are applied to interface methods. Note, neither CustomerService interface nor its CustomerServiceImpl implementation have security-specific annotations. CustomerService interface does have JAXRS annotations which are inherited by the service bean.

To see the @Secured annotations in action, please uncomment 

<bean id="customerservice" class="demo.jaxrs.service.CustomerServiceSecuredImpl"/>

and comment the one used by default :

<bean id="customerservice" class="demo.jaxrs.service.CustomerServiceImpl"/>

Note this time @Secured annotations are coming from a CustomerServiceSecured interface, while
JAXRS annotations are inherited from AbstractCustomerServiceSecured class. Also the secure annotations have to be explictly enabled in the configuration :

<security:global-method-security secured-annotations="enabled"/>

Basic authentication is used to provide user credentials to a service. 
No HTTPS protocol is used in this demo for simplicity only.
