diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc index f42b52ab8f6..08aaec67604 100644 --- a/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc +++ b/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc @@ -1351,6 +1351,30 @@ For more detail, see the following sections: +[[howto-jersey]] +== Jersey + + + +[[howto-jersey-spring-security]] +=== Secure Jersey endpoints with Spring Security +Spring Security can be used to secure a Jersey-based web application in much the same +way as it can be used to secure a Spring MVC-based web application. However, if you want +to use Spring Security's method-level security with Jersey, you must configure Jersey to +use `setStatus(int)` rather `sendError(int)`. This prevents Jersey from committing the +response before Spring Security has had an opportunity to report an authentication or +authorization failure to the client. + +The `jersey.config.server.response.setStatusOverSendError` proeprty must be set to `true` +on the application's `ResourceConfig` bean, as shown in the following example: + +[source,java,indent=0] +---- +include::{code-examples}/jersey/JerseySetStatusOverSendErrorExample.java[tag=resource-config] +---- + + + [[howto-http-clients]] == HTTP Clients diff --git a/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/jersey/JerseySetStatusOverSendErrorExample.java b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/jersey/JerseySetStatusOverSendErrorExample.java new file mode 100644 index 00000000000..6cda7b2f1e9 --- /dev/null +++ b/spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/jersey/JerseySetStatusOverSendErrorExample.java @@ -0,0 +1,53 @@ +/* + * Copyright 2012-2018 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.boot.jersey; + +import java.util.Collections; + +import javax.servlet.http.HttpServletResponse; + +import org.glassfish.jersey.server.ResourceConfig; + +import org.springframework.stereotype.Component; + +/** + * Example configuration for a Jersey {@link ResourceConfig} configured to use + * {@link HttpServletResponse#setStatus(int)} rather than + * {@link HttpServletResponse#sendError(int)}. + * + * @author Andy Wilkinson + */ +public class JerseySetStatusOverSendErrorExample { + + // tag::resource-config[] + @Component + public class JerseyConfig extends ResourceConfig { + + public JerseyConfig() { + register(Endpoint.class); + setProperties(Collections.singletonMap( + "jersey.config.server.response.setStatusOverSendError", true)); + } + + } + // end::resource-config[] + + static class Endpoint { + + } + +}