This project is a simple example that creates a custom one-time-password authentication protocol. It uses ContainerRequestFilter and ClientRequestFilter to implement this along with a @NameBinding to secure which parts you want to secure. It also has an authorization filter that allows you to specify how many times per day a user is allowed to invoke a method.
This will build a WAR and run it with embedded Jetty.
ex15_1
|-- pom.xml
`-- src
|-- main
| |-- java
| | `-- com
| | `-- restfully
| | `-- shop
| | |-- domain
| | | `-- Customer.java
| | |-- features
| | | |-- AllowedPerDay.java
| | | |-- OTP.java
| | | |-- OTPAuthenticated.java
| | | |-- OneTimePasswordAuthenticator.java
| | | |-- OneTimePasswordGenerator.java
| | | `-- PerDayAuthorizer.java
| | `-- services
| | |-- CustomerResource.java
| | `-- ShoppingApplication.java
| `-- webapp
| `-- WEB-INF
| `-- web.xml
`-- test
`-- java
`-- com
`-- restfully
`-- shop
`-- test
`-- CustomerResourceTest.java
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<parent>
<groupId>com.oreilly.rest.workbook</groupId>
<artifactId>jaxrs-2.0-workbook-pom</artifactId>
<version>1.0</version>
<relativePath>../pom.xml</relativePath>
</parent>
<modelVersion>4.0.0</modelVersion>
<groupId>com.oreilly.rest.workbook</groupId>
<artifactId>jaxrs-2.0-workbook-ex15_1</artifactId>
<version>2.0</version>
<packaging>war</packaging>
<name>ex15_1</name>
<description/>
<dependencies>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-jaxrs</artifactId>
<version>3.0.12.Final-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-client</artifactId>
<version>3.0.12.Final-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>async-http-servlet-3.0</artifactId>
<version>3.0.12.Final-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>jaxrs-api</artifactId>
<version>3.0.12.Final-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-servlet-initializer</artifactId>
<version>3.0.12.Final-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-jaxb-provider</artifactId>
<version>3.0.12.Final-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.1</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<finalName>ex15_1</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
<plugin>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-maven-plugin</artifactId>
<version>9.0.6.v20130930</version>
<configuration>
<webApp>
<contextPath>/</contextPath>
</webApp>
<scanIntervalSeconds>10</scanIntervalSeconds>
<stopKey>foo</stopKey>
<stopPort>9999</stopPort>
<stopWait>1</stopWait>
</configuration>
<executions>
<execution>
<id>start-jetty</id>
<phase>pre-integration-test</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<scanIntervalSeconds>0</scanIntervalSeconds>
<daemon>true</daemon>
</configuration>
</execution>
<execution>
<id>stop-jetty</id>
<phase>post-integration-test</phase>
<goals>
<goal>stop</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<skip>true</skip>
</configuration>
<executions>
<execution>
<id>surefire-it</id>
<phase>integration-test</phase>
<goals>
<goal>test</goal>
</goals>
<configuration>
<skip>false</skip>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
src/main/webapp/WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
</web-app>
src/main/java/com/restfully/shop/domain/Customer.java
package com.restfully.shop.domain;
import javax.xml.bind.annotation.XmlAttribute;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
@XmlRootElement(name = "customer")
public class Customer
{
private int id;
private String firstName;
private String lastName;
private String street;
private String city;
private String state;
private String zip;
private String country;
@XmlAttribute
public int getId()
{
return id;
}
public void setId(int id)
{
this.id = id;
}
@XmlElement(name = "first-name")
public String getFirstName()
{
return firstName;
}
public void setFirstName(String firstName)
{
this.firstName = firstName;
}
@XmlElement(name = "last-name")
public String getLastName()
{
return lastName;
}
public void setLastName(String lastName)
{
this.lastName = lastName;
}
@XmlElement
public String getStreet()
{
return street;
}
public void setStreet(String street)
{
this.street = street;
}
@XmlElement
public String getCity()
{
return city;
}
public void setCity(String city)
{
this.city = city;
}
@XmlElement
public String getState()
{
return state;
}
public void setState(String state)
{
this.state = state;
}
@XmlElement
public String getZip()
{
return zip;
}
public void setZip(String zip)
{
this.zip = zip;
}
@XmlElement
public String getCountry()
{
return country;
}
public void setCountry(String country)
{
this.country = country;
}
@Override
public String toString()
{
return "Customer{" +
"id=" + id +
", firstName='" + firstName + '\'' +
", lastName='" + lastName + '\'' +
", street='" + street + '\'' +
", city='" + city + '\'' +
", state='" + state + '\'' +
", zip='" + zip + '\'' +
", country='" + country + '\'' +
'}';
}
}
src/main/java/com/restfully/shop/features/AllowedPerDay.java
package com.restfully.shop.features;
import javax.ws.rs.NameBinding;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@NameBinding
public @interface AllowedPerDay
{
int value();
}
src/main/java/com/restfully/shop/features/OTP.java
package com.restfully.shop.features;
import org.jboss.resteasy.util.Base64;
import java.nio.charset.Charset;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class OTP
{
public static String generateToken(String secret)
{
long minutes = System.currentTimeMillis() / 1000 / 60;
String concat = secret + minutes;
MessageDigest digest = null;
try
{
digest = MessageDigest.getInstance("MD5");
}
catch (NoSuchAlgorithmException e)
{
throw new IllegalArgumentException(e);
}
byte[] hash = digest.digest(concat.getBytes(Charset.forName("UTF-8")));
return Base64.encodeBytes(hash);
}
}
src/main/java/com/restfully/shop/features/OTPAuthenticated.java
package com.restfully.shop.features;
import javax.ws.rs.NameBinding;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@NameBinding
public @interface OTPAuthenticated
{
}
src/main/java/com/restfully/shop/features/OneTimePasswordAuthenticator.java
package com.restfully.shop.features;
import javax.annotation.Priority;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.Priorities;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.SecurityContext;
import java.io.IOException;
import java.security.Principal;
import java.util.Map;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
@OTPAuthenticated
@Priority(Priorities.AUTHENTICATION)
public class OneTimePasswordAuthenticator implements ContainerRequestFilter
{
protected Map<String, String> userSecretMap;
public OneTimePasswordAuthenticator(Map<String, String> userSecretMap)
{
this.userSecretMap = userSecretMap;
}
@Override
public void filter(ContainerRequestContext requestContext) throws IOException
{
String authorization = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
if (authorization == null) throw new NotAuthorizedException("OTP");
String[] split = authorization.split(" ");
final String user = split[0];
String otp = split[1];
String secret = userSecretMap.get(user);
if (secret == null) throw new NotAuthorizedException("OTP");
String regen = OTP.generateToken(secret);
if (!regen.equals(otp)) throw new NotAuthorizedException("OTP");
final SecurityContext securityContext = requestContext.getSecurityContext();
requestContext.setSecurityContext(new SecurityContext()
{
@Override
public Principal getUserPrincipal()
{
return new Principal()
{
@Override
public String getName()
{
return user;
}
};
}
@Override
public boolean isUserInRole(String role)
{
return false;
}
@Override
public boolean isSecure()
{
return securityContext.isSecure();
}
@Override
public String getAuthenticationScheme()
{
return "OTP";
}
});
}
}
src/main/java/com/restfully/shop/features/OneTimePasswordGenerator.java
package com.restfully.shop.features;
import javax.ws.rs.client.ClientRequestContext;
import javax.ws.rs.client.ClientRequestFilter;
import javax.ws.rs.core.HttpHeaders;
import java.io.IOException;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class OneTimePasswordGenerator implements ClientRequestFilter
{
protected String user;
protected String secret;
public OneTimePasswordGenerator(String user, String secret)
{
this.user = user;
this.secret = secret;
}
@Override
public void filter(ClientRequestContext requestContext) throws IOException
{
String otp = OTP.generateToken(secret);
requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION, user + " " + otp);
}
}
src/main/java/com/restfully/shop/features/PerDayAuthorizer.java
package com.restfully.shop.features;
import javax.annotation.Priority;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.Priorities;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import java.io.IOException;
import java.lang.reflect.Method;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
@AllowedPerDay(0)
@Priority(Priorities.AUTHORIZATION)
public class PerDayAuthorizer implements ContainerRequestFilter
{
@Context
ResourceInfo info;
public void filter(ContainerRequestContext requestContext) throws IOException
{
SecurityContext sc = requestContext.getSecurityContext();
if (sc == null) throw new ForbiddenException();
Principal principal = sc.getUserPrincipal();
if (principal == null) throw new ForbiddenException();
String user = principal.getName();
if (!authorized(user))
{
throw new ForbiddenException();
}
}
protected static class UserMethodKey
{
String username;
Method method;
public UserMethodKey(String username, Method method)
{
this.username = username;
this.method = method;
}
@Override
public boolean equals(Object o)
{
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
UserMethodKey that = (UserMethodKey) o;
if (!method.equals(that.method)) return false;
if (!username.equals(that.username)) return false;
return true;
}
@Override
public int hashCode()
{
int result = username.hashCode();
result = 31 * result + method.hashCode();
return result;
}
}
protected Map<UserMethodKey, Integer> count = new HashMap<UserMethodKey, Integer>();
protected long today = System.currentTimeMillis();
protected synchronized boolean authorized(String user)
{
if (System.currentTimeMillis() > today + (24 * 60 * 60 * 1000))
{
today = System.currentTimeMillis();
count.clear();
}
UserMethodKey key = new UserMethodKey(user, info.getResourceMethod());
Integer counter = count.get(key);
if (counter == null)
{
counter = 0;
}
AllowedPerDay allowed = info.getResourceMethod().getAnnotation(AllowedPerDay.class);
if (allowed.value() > counter)
{
count.put(key, counter + 1);
return true;
}
return false;
}
}
src/main/java/com/restfully/shop/services/CustomerResource.java
package com.restfully.shop.services;
import com.restfully.shop.domain.Customer;
import com.restfully.shop.features.AllowedPerDay;
import com.restfully.shop.features.OTPAuthenticated;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import java.net.URI;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicInteger;
@Path("/customers")
public class CustomerResource
{
private Map<Integer, Customer> customerDB = new ConcurrentHashMap<Integer, Customer>();
private AtomicInteger idCounter = new AtomicInteger();
public CustomerResource()
{
}
@POST
@Consumes("application/xml")
public Response createCustomer(Customer customer)
{
customer.setId(idCounter.incrementAndGet());
customerDB.put(customer.getId(), customer);
System.out.println("Created customer " + customer.getId());
return Response.created(URI.create("/customers/" + customer.getId())).build();
}
@GET
@Path("{id}")
@Produces("application/xml")
@OTPAuthenticated
public Customer getCustomer(@PathParam("id") int id)
{
Customer customer = customerDB.get(id);
if (customer == null)
{
throw new WebApplicationException(Response.Status.NOT_FOUND);
}
return customer;
}
@PUT
@Path("{id}")
@Consumes("application/xml")
@OTPAuthenticated
@AllowedPerDay(1)
public void updateCustomer(@PathParam("id") int id, Customer update)
{
Customer current = customerDB.get(id);
if (current == null) throw new WebApplicationException(Response.Status.NOT_FOUND);
current.setFirstName(update.getFirstName());
current.setLastName(update.getLastName());
current.setStreet(update.getStreet());
current.setState(update.getState());
current.setZip(update.getZip());
current.setCountry(update.getCountry());
}
}
src/main/java/com/restfully/shop/services/ShoppingApplication.java
package com.restfully.shop.services;
import com.restfully.shop.features.OneTimePasswordAuthenticator;
import com.restfully.shop.features.PerDayAuthorizer;
import javax.ws.rs.ApplicationPath;
import javax.ws.rs.core.Application;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;
@ApplicationPath("/services")
public class ShoppingApplication extends Application
{
private Set<Object> singletons = new HashSet<Object>();
public ShoppingApplication()
{
singletons.add(new CustomerResource());
HashMap<String, String> userSecretMap = new HashMap<String, String>();
userSecretMap.put("bburke", "geheim");
singletons.add(new OneTimePasswordAuthenticator(userSecretMap));
singletons.add(new PerDayAuthorizer());
}
@Override
public Set<Object> getSingletons()
{
return singletons;
}
}
src/test/java/com/restfully/shop/test/CustomerResourceTest.java
package com.restfully.shop.test;
import com.restfully.shop.domain.Customer;
import com.restfully.shop.features.OneTimePasswordGenerator;
import junit.framework.Assert;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Response;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class CustomerResourceTest
{
private static Client client;
@BeforeClass
public static void initClient()
{
client = ClientBuilder.newClient();
}
@AfterClass
public static void closeClient()
{
client.close();
}
@Test
public void testCustomerResource() throws Exception
{
System.out.println("*** Create a new Customer ***");
Customer newCustomer = new Customer();
newCustomer.setFirstName("Bill");
newCustomer.setLastName("Burke");
newCustomer.setStreet("256 Clarendon Street");
newCustomer.setCity("Boston");
newCustomer.setState("MA");
newCustomer.setZip("02115");
newCustomer.setCountry("USA");
Response response = client.target("http://localhost:8080/services/customers")
.request().post(Entity.xml(newCustomer));
if (response.getStatus() != 201) throw new RuntimeException("Failed to create");
String location = response.getLocation().toString();
System.out.println("Location: " + location);
response.close();
System.out.println("*** GET Created Customer **");
Customer customer = null;
WebTarget target = client.target(location);
try
{
customer = target.request().get(Customer.class);
Assert.fail(); // should have thrown an exception
}
catch (NotAuthorizedException e)
{
}
target.register(new OneTimePasswordGenerator("bburke", "geheim"));
customer = target.request().get(Customer.class);
System.out.println(customer);
customer.setFirstName("William");
response = target.request().put(Entity.xml(customer));
if (response.getStatus() != 204) throw new RuntimeException("Failed to update");
// Show the update
System.out.println("**** After Update ***");
customer = target.request().get(Customer.class);
System.out.println(customer);
// only allowed to update once per day
customer.setFirstName("Bill");
response = target.request().put(Entity.xml(customer));
Assert.assertEquals(Response.Status.FORBIDDEN, response.getStatusInfo());
}
}