JAX-RS Spring Security Demo 
===========================

The demo shows how to use Spring Security to secure a JAXRS-based RESTful service.
 
Two approaches toward securing a service are shown :
- using Spring Security @Secured annotations
- using AspectJ pointcut expressions

Additionally, JAXRS annotations inheritance is demonstrated, from both interface 
and abstract class definitions.


Building and running the demo using Maven
-----------------------------------------

From the base directory of this sample (i.e., where this README file is
located), the maven pom.xml file can be used to build and run the demo. 

Using either UNIX or Windows:

  mvn clean install
  mvn -Pserver  (from one command line window)
  mvn -Pclient  (from a second command line window)

To remove the target directory, run "mvn clean".


What happens when the demo is run
---------------------------------

The demo web application located in a webapp folder is configured for two users, Fred and Bob, 
to be able to access various methods of a customer service bean. 

Fred is in both ROLE_CUSTOMER and ROLE_ADMIN roles, while Bob is in the ROLE_CUSTOMER role only.
After the server starts, the client is run and it's shown that Fred can access all the methods
while Bob can access only those which ROLE_CUSTOMER users are permitted to. 

By default, the demo is configured to use AspectJ pointcut expressions to apply ACL rules to a service bean.
Please see src/main/webapp/WEB-INF/beans.xml as well as src/demo/jaxrs/service.

demo.jaxrs.service.CustomerServiceImpl bean implements the CustomerService interface. AspectJ 
expressions are applied to interface methods. Note neither CustomerService interface nor 
its CustomerServiceImpl implementation have security-specific annotations. CustomerService
interface does have JAXRS annotations which are inherited by the service bean.

To see the @Secured annotations in action, please uncomment 

<bean id="customerservice" class="demo.jaxrs.service.CustomerServiceSecuredImpl"/>

and comment the one used by default:

<bean id="customerservice" class="demo.jaxrs.service.CustomerServiceImpl"/>

Note this time @Secured annotations are coming from a CustomerServiceSecured interface,
while JAXRS annotations are inherited from AbstractCustomerServiceSecured class. Also
the secure annotations have to be explictly enabled in the configuration:

<security:global-method-security secured-annotations="enabled"/>

Basic authentication is used to provide user credentials to a service. 
For simplicity, the HTTPS protocol is avoided in this sample but should be used
in production.