How to implement authentication and authorization web services?

Good afternoon.
The question arose. How all the same to implement baskets e.g. kitchen, wor-independent authorization for a web application?
What was tested:
Configuring JAAS on Glassfish4
What is not staged:
It is necessary to configure the container. And I would not want to do that. Ideally I would like all the allow code.
Which had problems:
When writing your ContextRequestFilter for Jesrey RESTful service it worked. Used for example of BASIC authorization. Earned the annotations view
RolesAllowed etc. But! They only work with classes resources. If the class is annotated as @Stateless for example, it the filter is not working. Digging deep gave the following results. When we filtered the queries we create our own SecurityContext which works for classes of resources. But @Stateless already use its EJBContext to get through which is not in any way except through the configuration of the container. To do all this we want in the standard and the most regardless of platform.
I'd love to hear your options and thoughts about it.
October 3rd 19 at 03:11
3 answers
October 3rd 19 at 03:13
spring security seems quite independent, although to be honest — yuzal it exclusively for tomcata :)
So the fact of the matter is that I would like to make based on the standard. Without connecting third-party libraries. If that doesn't work there's always Shiro. - jamal commented on October 3rd 19 at 03:16
Standard JAAS is not made for people. Spring Security is relatively simple, flexible, and with understandable source code based on the servlet standard that ensures portability. A big plus is that a standard solution is already implemented or there is a good abstraction for its own implementation. For services based on Jersey works great -- I know from experience. - justice.Kuhn commented on October 3rd 19 at 03:19
October 3rd 19 at 03:15
It seems to me that not to depend on the container, there are two main options:

1. To do everything yourself. For example, in the business logic of a web service to add fields that are needed for the authorization (user/password, for example). Stupid and very simple method. Perhaps his only advantage — 100% process control in your business logic, and then, if the control you really need.
2. Use any common standard, implemented by all containers. Ie, independence from the container when this approach implies that if the standard is implemented everywhere, then you can not worry about that when changing the container there will be surprises. For example, WS-Security — common, stable standard.

By the way, mixing the two approaches can also take place. For example, I used the WS-Security standard, but in view of the fact that I needed additional treatment, I refused to implement the container and write your handler.

Generally, the options can be many, it all depends on available time and the desire to seek and understand.
The most you can. But there are also interesting annotation @RolesAllowed here they want to use in conjunction with EJB. - jamal commented on October 3rd 19 at 03:18
October 3rd 19 at 03:17
Think it will be interesting. I went that way jaspic tutorial.

Find more questions by tags Java