Security layer

[aerben]

Right now, we only have a very rudimentary user profile entity and no security for our REST interface. That'll have to change soon. Which security framework for our REST interface should we use?

[headcr4sh]

I think for role-based security constraints we can already rely on container-managed roles via @javax.annotation.security.* annotations. They should be working out of the box or can be enabled easily by modifying the RestApplication class in the fx-pastebin-server module.

For fine-grained stuff (e.g. a user should be able to change his/her own profile but not the profile of another user) we might rely on the SecurityContext that JAX-RS2.0 has to offer: https://jersey.java.net/documentation/latest/security.html (documentation of the JAX-RS reference implementation [RI] a.k.a. "Jersey").

Maybe a filter ( https://jersey.java.net/documentation/latest/filters-and-interceptors.html) might be all that is needed for fine-grained access control...

[aerben]

We could also use Spring Security which I already know quite well. But I'll have a closer look into the links you posted - maybe the JAX-RS-solutions are suited well enough. SS would have the disadvantage of the (small) Spring Container overhead - and we would stray from the just-Java EE-path.