@Override public boolean isAccessGranted(UI ui, String beanName) { if (applicationContext.findAnnotationOnBean(beanName, DenyAll.class) != null) { // DenyAll (no authentication required) return false; } if (applicationContext.findAnnotationOnBean(beanName, PermitAll.class) != null) { // PermitAll (no authentication required) return true; } // RolesAllowed - authentication required RolesAllowed ra = applicationContext.findAnnotationOnBean(beanName, RolesAllowed.class); if (ra != null) { // check authentication final AuthContext authContext = AuthContext.getCurrent() .orElseThrow(() -> new IllegalStateException("No AuthContext available as Context resource: " + "failed to validate RolesAllowed security annotation on View bean name [" + beanName + "]")); if (!authContext.getAuthentication().isPresent()) { // not authenticated return false; } // check permissions if (ra.value().length > 0) { // for empty roles names, no role is required, only authentication if (!authContext.isPermittedAny(ra.value())) { // no roles matches (with ANY semantic) return false; } } } return true; }
@Override public boolean permitted(SecurityContext securityCtx) { if (this.annotation.annotationType() == DenyAll.class) { return false; } if (this.annotation.annotationType() == PermitAll.class) { // XXX needed? return true; } if (this.annotation.annotationType() == RolesAllowed.class) { final String[] roles = ((RolesAllowed) this.annotation).value(); for (String role : roles) { if (securityCtx.isUserInRole(role)) { return true; } } } return false; }
@Override public void configure(ResourceInfo resourceInfo, FeatureContext context) { final AnnotatedMethod am = new AnnotatedMethod(resourceInfo.getResourceMethod()); final Annotation[][] parameterAnnotations = am.getParameterAnnotations(); //@DenyAll shouldn't be attached to classes final boolean annotationOnClass = (resourceInfo.getResourceClass().getAnnotation(RolesAllowed.class) != null) || (resourceInfo.getResourceClass().getAnnotation(PermitAll.class) != null); final boolean annotationOnMethod = am.isAnnotationPresent(RolesAllowed.class) || am.isAnnotationPresent(DenyAll.class) || am.isAnnotationPresent(PermitAll.class); if (annotationOnClass || annotationOnMethod) { context.register(filterClass); } else { for (Annotation[] annotations : parameterAnnotations) { for (Annotation annotation : annotations) { if (annotation instanceof Auth) { context.register(filterClass); return; } } } } }
private Annotation getAuthAnnotation( AnnotatedElement element ) { Annotation ann = element.getAnnotation( DenyAll.class ); if ( ann == null ) { ann = element.getAnnotation( RolesAllowed.class ); } if ( ann == null ) { ann = element.getAnnotation( PermitAll.class ); } if ( ann == null ) { ann = element.getAnnotation( RelationCredibility.class ); } return ann; }
@Override public void configure(ResourceInfo resourceInfo, FeatureContext context) { final AnnotatedMethod am = new AnnotatedMethod(resourceInfo.getResourceMethod()); final Annotation[][] parameterAnnotations = am.getParameterAnnotations(); if (am.isAnnotationPresent(RolesAllowed.class) || am.isAnnotationPresent(DenyAll.class) || am.isAnnotationPresent(PermitAll.class)) { context.register(authFilter); } else { for (Annotation[] annotations : parameterAnnotations) { for (Annotation annotation : annotations) { if (annotation instanceof Auth) { context.register(authFilter); return; } } } } }
/** * Validation * <p/> * Conflicting use of @RolesAllowed, @PermitAll, and @DenyAll * * @param method * @param ejbName * @param ejbModule * @param seen */ private void checkConflictingSecurityAnnotations(final Annotated<Method> method, final String ejbName, final EjbModule ejbModule, final List<Method> seen) { if (seen.contains(method.get())) { return; } else { seen.add(method.get()); } final List<String> annotations = new ArrayList<String>(); for (final Class<? extends Annotation> annotation : Arrays.asList(RolesAllowed.class, PermitAll.class, DenyAll.class)) { if (method.getAnnotation(annotation) != null) { annotations.add("@" + annotation.getSimpleName()); } } if (annotations.size() > 1) { ejbModule.getValidation().fail(ejbName, "conflictingSecurityAnnotations", method.get().getName(), Join.join(" and ", annotations), method.get().getDeclaringClass()); } }
@GET @Path("/nobody") @Produces(MediaType.TEXT_PLAIN) @DenyAll() public String nobody() { return "nobody"; }
@DenyAll @GET @Path("prv") @Produces(MediaType.TEXT_PLAIN) public String prv() { return "Denied"; }
private void checkSecurity(final MinijaxRequestContext context) { final Annotation a = context.getResourceMethod().getSecurityAnnotation(); if (a == null) { return; } final Class<?> c = a.annotationType(); if (c == PermitAll.class) { return; } if (c == DenyAll.class) { throw new ForbiddenException(); } if (c == RolesAllowed.class) { final SecurityContext security = context.getSecurityContext(); if (security == null || security.getUserPrincipal() == null) { throw new NotAuthorizedException(Response.status(Status.UNAUTHORIZED).build()); } boolean found = false; for (final String role : ((RolesAllowed) a).value()) { if (security.isUserInRole(role)) { found = true; break; } } if (!found) { throw new ForbiddenException(); } } }
private static Annotation findSecurityAnnotation(final Annotation[] annotations) { for (final Annotation a : annotations) { final Class<?> c = a.annotationType(); if (c == PermitAll.class || c == DenyAll.class || c == RolesAllowed.class) { return a; } } return null; }
/** * Check if all relevant methods in use case implementations have permission checks i.e. {@link RolesAllowed}, * {@link DenyAll} or {@link PermitAll} annotation is applied. This is only checked for methods that are declared in * the corresponding interface and thus have the {@link Override} annotations applied. */ @Test public void permissionCheckAnnotationPresent() { String packageName = "com.cap.jumpthequeue"; Filter<String> filter = new Filter<String>() { @Override public boolean accept(String value) { return value.contains(".logic.impl.usecase.Uc") && value.endsWith("Impl"); } }; ReflectionUtil ru = ReflectionUtilImpl.getInstance(); Set<String> classNames = ru.findClassNames(packageName, true, filter); Set<Class<?>> classes = ru.loadClasses(classNames); SoftAssertions assertions = new SoftAssertions(); for (Class<?> clazz : classes) { Method[] methods = clazz.getDeclaredMethods(); for (Method method : methods) { Method parentMethod = ru.getParentMethod(method); if (parentMethod != null) { Class<?> declaringClass = parentMethod.getDeclaringClass(); if (declaringClass.isInterface() && declaringClass.getSimpleName().startsWith("Uc")) { boolean hasAnnotation = false; if (method.getAnnotation(RolesAllowed.class) != null || method.getAnnotation(DenyAll.class) != null || method.getAnnotation(PermitAll.class) != null) { hasAnnotation = true; } assertions.assertThat(hasAnnotation) .as("Method " + method.getName() + " in Class " + clazz.getSimpleName() + " is missing access control") .isTrue(); } } } } assertions.assertAll(); }
public SecurityAnnotationMatcher(Annotation annotation) { if (annotation.annotationType() != PermitAll.class && annotation.annotationType() != DenyAll.class && annotation.annotationType() != RolesAllowed.class) { throw new IllegalArgumentException("Not supported! [" + annotation + "]"); } this.annotation = annotation; }
@Test public void denyAll() { this.builder.denyAll(); assertTrue(getFrameMatchers().isEmpty()); assertEquals(1, getSecurityMatchers().size()); SecurityAnnotationMatcher matcher = (SecurityAnnotationMatcher) getSecurityMatchers().get(0); assertTrue(DenyAll.class.isAssignableFrom(ReflectionUtil.get(matcher, "annotation").getClass())); }
@Override public boolean test(Scope scope) { AnnotatedMethod am = new AnnotatedMethod(scope.getInvokedMethod()); // DenyAll on the method take precedence over RolesAllowed and PermitAll if (am.isAnnotationPresent(DenyAll.class)) { return false; } // RolesAllowed on the method takes precedence over PermitAll RolesAllowed ra = am.getAnnotation(RolesAllowed.class); if (ra != null) { return checkRoles(ra.value()); } // PermitAll takes precedence over RolesAllowed on the class if (am.isAnnotationPresent(PermitAll.class)) { // Do nothing. return true; } // DenyAll can't be attached to classes // RolesAllowed on the class takes precedence over PermitAll ra = scope.getInvokedClass().getAnnotation(RolesAllowed.class); if (ra != null) { return checkRoles(ra.value()); } return true; }
@GET @Path("/denyAllEndpoint") @DenyAll public Response denyAllEndpoint() throws Exception { Response.ResponseBuilder responseBuilder = Response.ok(); return responseBuilder.build(); }
@GET @Path("/denyAllEndpointWithRole") @DenyAll @RolesAllowed({Role.USER_READ_ONLY}) public Response denyAllEndpointWithRole() throws Exception { Response.ResponseBuilder responseBuilder = Response.ok(); return responseBuilder.build(); }
@DenyAll @RolesAllowed("Customer") public void withdraw(double amount) throws AccountBalanceException, SecurityException { if (balance - amount < 0) { ctx.setRollbackOnly(); throw new AccountBalanceException("There isn't enough money."); } else if (!ctx.isCallerInRole("EjbRoleCustomer")) { throw new SecurityException("Not authorized."); } else { Principal princ = ctx.getCallerPrincipal(); System.out.println("Somebody is withdrawing: " + princ.getName()); balance -= amount; } }
@Override public void filter(ContainerRequestContext requestContext) throws IOException { final ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) requestContext.getProperty("org.jboss.resteasy.core.ResourceMethodInvoker"); final Method method = methodInvoker.getMethod(); // Verifies if it isn't annotated with @PermitAll if (!method.isAnnotationPresent(PermitAll.class)) { if (method.isAnnotationPresent(DenyAll.class)) { LOGGER.info("Access denied!"); requestContext.abortWith(Response.status(Status.FORBIDDEN).entity(new User()).build()); } } }
private void checkLoggedIn(InvocationContext invocationContext) { LoggedIn loggedIn = AnnotationUtil.getAnnotation(invocationContext, LoggedIn.class); DenyAll denyAll = AnnotationUtil.getAnnotation(invocationContext, DenyAll.class); if (loggedIn != null || denyAll != null) { if(!identity.isLoggedIn()) { throw new NotLoggedInException(identity+" Not logged in"); } } }
@Override public void configure(final ResourceInfo resourceInfo, final FeatureContext configuration) { AnnotatedMethod am = new AnnotatedMethod(resourceInfo.getResourceMethod()); // DenyAll on the method take precedence over RolesAllowed and PermitAll if (am.isAnnotationPresent(DenyAll.class)) { configuration.register(new RolesAllowedRequestFilter()); return; } // RolesAllowed on the method takes precedence over PermitAll RolesAllowed ra = am.getAnnotation(RolesAllowed.class); if (ra != null) { configuration.register(new RolesAllowedRequestFilter(ra.value())); return; } // PermitAll takes precedence over RolesAllowed on the class if (am.isAnnotationPresent(PermitAll.class)) { // Do nothing. return; } // DenyAll can't be attached to classes // RolesAllowed on the class takes precedence over PermitAll ra = resourceInfo.getResourceClass().getAnnotation(RolesAllowed.class); if (ra != null) { configuration.register(new RolesAllowedRequestFilter(ra.value())); } }
@DenyAll @Path("/orders/{orderId}/") public Order getOrder(@PathParam("orderId") String orderId) { System.out.println("----invoking getOrder, Order id is: " + orderId); long idNumber = Long.parseLong(orderId); Order c = orders.get(idNumber); return c; }
/** * Sets path specifics * * @param annotations list of method annotations */ private void init(Annotation[] annotations) { for (Annotation annotation : annotations) { //log.info(annotation.toString()); if (annotation instanceof RouteOrder) { order(((RouteOrder) annotation).value()); } if (annotation instanceof Path) { path(((Path) annotation).value()); } if (annotation instanceof Produces) { produces(((Produces) annotation).value()); } if (annotation instanceof Consumes) { consumes(((Consumes) annotation).value()); } if (annotation instanceof javax.ws.rs.HttpMethod) { method(((javax.ws.rs.HttpMethod) annotation).value()); } if (annotation instanceof GET || annotation instanceof POST || annotation instanceof PUT || annotation instanceof DELETE || annotation instanceof HEAD || annotation instanceof OPTIONS) { method(annotation.annotationType().getSimpleName()); } // response writer ... if (annotation instanceof ResponseWriter) { writer = ((ResponseWriter) annotation).value(); } if (annotation instanceof RequestReader) { reader = ((RequestReader) annotation).value(); } if (annotation instanceof Blocking) { blocking = ((Blocking) annotation).value(); } if (annotation instanceof RolesAllowed) { permitAll = null; // override any previous definition roles = ((RolesAllowed) annotation).value(); } if (annotation instanceof DenyAll) { roles = null; // override any previous definition permitAll = false; } if (annotation instanceof PermitAll) { roles = null; // override any previous definition permitAll = true; } if (annotation instanceof CatchWith) { exceptionHandlers = ArrayUtils.join(((CatchWith) annotation).value(), exceptionHandlers); } } }
@DenyAll @GET @Path("deny") public Response deny() { return Response.ok().build(); }
@Override public void filter(final ContainerRequestContext requestContext) throws IOException { Method method = resourceInfo.getResourceMethod(); // @DenyAll on the method takes precedence over @RolesAllowed and @PermitAll if (method.isAnnotationPresent(DenyAll.class)) { throw new AccessDeniedException("You don't have permissions to perform this action."); } // @RolesAllowed on the method takes precedence over @PermitAll RolesAllowed rolesAllowed = method.getAnnotation(RolesAllowed.class); if (rolesAllowed != null) { performAuthorization(rolesAllowed.value(), requestContext); return; } // @PermitAll on the method takes precedence over @RolesAllowed on the class if (method.isAnnotationPresent(PermitAll.class)) { // Do nothing return; } // @DenyAll can't be attached to classes // @RolesAllowed on the class takes precedence over @PermitAll on the class rolesAllowed = resourceInfo.getResourceClass().getAnnotation(RolesAllowed.class); if (rolesAllowed != null) { performAuthorization(rolesAllowed.value(), requestContext); } // @PermitAll on the class if (resourceInfo.getResourceClass().isAnnotationPresent(PermitAll.class)) { // Do nothing return; } // Authentication is required for non-annotated methods if (!isAuthenticated(requestContext)) { throw new AccessDeniedException("Authentication is required to perform this action."); } }
@Override public void filter(ContainerRequestContext requestContext) { Method method = resourceInfo.getResourceMethod(); if (!method.isAnnotationPresent(PermitAll.class)) { if (method.isAnnotationPresent(DenyAll.class)) { requestContext.abortWith(ACCESS_FORBIDDEN); return; } //Get request headers final MultivaluedMap<String, String> headers = requestContext.getHeaders(); //Fetch authorization header final List<String> authorization = headers.get(AUTHORIZATION_PROPERTY); //If no authorization information present; block access if (authorization == null || authorization.isEmpty()) { requestContext.abortWith(ACCESS_DENIED); return; } //Get encoded username and password final String encodedUserPassword = authorization.get(0).replaceFirst(AUTHENTICATION_SCHEME + " ", ""); //Decode username and password String usernameAndPassword = new String(Base64.decode(encodedUserPassword.getBytes())); ; //Split username and password tokens final StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":"); final String username = tokenizer.nextToken(); final String password = tokenizer.nextToken(); //Verify user access if (method.isAnnotationPresent(RolesAllowed.class)) { RolesAllowed rolesAnnotation = method.getAnnotation(RolesAllowed.class); Set<String> rolesSet = new HashSet<String>(Arrays.asList(rolesAnnotation.value())); //Is user valid? if (!isUserAllowed(username, password, rolesSet)) { requestContext.abortWith(ACCESS_DENIED); return; } } } }
public void filter(ContainerRequestContext requestContext) throws IOException { ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) requestContext.getProperty("org.jboss.resteasy.core.ResourceMethodInvoker"); Method method = methodInvoker.getMethod(); //Access allowed for all if( ! method.isAnnotationPresent(PermitAll.class)) { //Access denied for all if(method.isAnnotationPresent(DenyAll.class)) { requestContext.abortWith(ACCESS_FORBIDDEN); return; } //Get request headers final MultivaluedMap<String, String> headers = requestContext.getHeaders(); //Fetch authorization header final List<String> authorization = headers.get(AUTHORIZATION_PROPERTY); //If no authorization information present; block access if(authorization == null || authorization.isEmpty()) { requestContext.abortWith(ACCESS_DENIED); return; } Subject subject = securityService.getSubject(); if (!subject.isAuthenticated()) { requestContext.abortWith(SERVER_ERROR); return; } //Verify user access if(method.isAnnotationPresent(RolesAllowed.class)) { boolean isAllowed = false; RolesAllowed rolesAnnotation = method.getAnnotation(RolesAllowed.class); Set<String> rolesSet = new HashSet<String>(Arrays.asList(rolesAnnotation.value())); //Is user allowed? for(String s : rolesSet) if(subject.hasRole(s)) { isAllowed = true; } if(!isAllowed) { requestContext.abortWith(ACCESS_DENIED); } } } }
private boolean isSecuredEl( AnnotatedElement element ) { return element.isAnnotationPresent( RelationCredibility.class ) || element .isAnnotationPresent( RolesAllowed.class ) || element.isAnnotationPresent( DenyAll.class ); }
@Override public void filter(ContainerRequestContext requestContext) throws IOException { ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) requestContext.getProperty("org.jboss.resteasy.core.ResourceMethodInvoker"); Method method = methodInvoker.getMethod(); //Access allowed for all if( ! method.isAnnotationPresent(PermitAll.class)) { //Access denied for all if(method.isAnnotationPresent(DenyAll.class)) { requestContext.abortWith(ACCESS_FORBIDDEN); return; } //Get request headers final MultivaluedMap<String, String> headers = requestContext.getHeaders(); //Fetch authorization header final List<String> authorization = headers.get(AUTHORIZATION_PROPERTY); //If no authorization information present; block access if(authorization == null || authorization.isEmpty()) { requestContext.abortWith(ACCESS_DENIED); return; } //Get user token final String userToken = authorization.get(0); DefaultUserService userService = DefaultUserService.getInstance(); User user = userService.getUser(userToken); if(user == null) { requestContext.abortWith(ACCESS_DENIED); return; } //Verifying Username and password System.out.println(user.getUserName()); System.out.println(user.getPassword()); //Verify user access if(method.isAnnotationPresent(RolesAllowed.class)) { RolesAllowed rolesAnnotation = method.getAnnotation(RolesAllowed.class); Set<String> rolesSet = new HashSet<String>(Arrays.asList(rolesAnnotation.value())); //Is user valid? if(!rolesSet.contains(user.getRole().name())) { requestContext.abortWith(ACCESS_DENIED); return; } } } }
@Override public void filter(ContainerRequestContext requestContext) { Method method = resourceInfo.getResourceMethod(); //Access allowed for all if (!method.isAnnotationPresent(PermitAll.class)) { //Access denied for all if (method.isAnnotationPresent(DenyAll.class)) { requestContext.abortWith(ACCESS_FORBIDDEN); return; } //Get request headers final MultivaluedMap<String, String> headers = requestContext .getHeaders(); //Fetch authorization header final List<String> authorization = headers.get( AUTHORIZATION_PROPERTY); //If no authorization information present; block access if (authorization == null || authorization.isEmpty()) { requestContext.abortWith(ACCESS_DENIED); return; } //Get encoded username and password final String encodedUserPassword = authorization.get(0) .replaceFirst(AUTHENTICATION_SCHEME + " ", ""); //Decode username and password String usernameAndPassword = new String(Base64.decode( encodedUserPassword.getBytes())); //Split username and password tokens final StringTokenizer tokenizer = new StringTokenizer( usernameAndPassword, ":"); final String username = tokenizer.nextToken(); final String password = tokenizer.nextToken(); //Verifying Username and password //System.out.println(username); //System.out.println(password); //Verify user access if (method.isAnnotationPresent(RolesAllowed.class)) { RolesAllowed rolesAnnotation = method.getAnnotation( RolesAllowed.class); Set<String> rolesSet = new HashSet<String>(Arrays.asList( rolesAnnotation.value())); //Is user valid? if (!isUserAllowed(username, password, rolesSet)) { requestContext.abortWith(ACCESS_DENIED); return; } } } }
@DenyAll public void deniedMethod() { //NOOP }
@DenyAll @GET @Path("denied") public String denied() { return "denied"; }
@Override public void configure(final ResourceInfo resourceInfo, final FeatureContext configuration) { Method am = resourceInfo.getResourceMethod(); Authenticated authenticated = am.getAnnotation(Authenticated.class); if (authenticated == null) { authenticated = resourceInfo.getResourceClass().getAnnotation(Authenticated.class); } String system = authenticated == null ? null : authenticated.value(); // DenyAll on the method take precedence over RolesAllowed and PermitAll if (am.isAnnotationPresent(DenyAll.class)) { configuration.register(new RolesAllowedRequestFilter(Objects.requireNonNull(system, "@Permissions found on " + am + " but no @Authenticated found"))); return; } // RolesAllowed on the method takes precedence over PermitAll RolesAllowed ra = am.getAnnotation(RolesAllowed.class); if (ra != null) { configuration.register(new RolesAllowedRequestFilter( Objects.requireNonNull(system, "@Permissions found on " + am + " but no @Authenticated found"), ra.value())); return; } // PermitAll takes precedence over RolesAllowed on the class if (am.isAnnotationPresent(PermitAll.class)) { // Do nothing. return; } // DenyAll can't be attached to classes // RolesAllowed on the class takes precedence over PermitAll ra = resourceInfo.getResourceClass().getAnnotation(RolesAllowed.class); if (ra != null) { configuration.register(new RolesAllowedRequestFilter( Objects.requireNonNull(system, "@Permissions found on " + am + " but no @Authenticated found"), ra.value())); } }
@Override public void filter(ContainerRequestContext requestContext) { ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) requestContext .getProperty("org.jboss.resteasy.core.ResourceMethodInvoker"); Method method = methodInvoker.getMethod(); // Access allowed for all if (!method.isAnnotationPresent(PermitAll.class)) { // Access denied for all if (method.isAnnotationPresent(DenyAll.class)) { requestContext.abortWith(ACCESS_FORBIDDEN); return; } // Get request headers final MultivaluedMap<String, String> headersMap = requestContext.getHeaders(); // Fetch authorization header final List<String> authorization = headersMap.get(AUTHORIZATION_PROPERTY); // If no authorization information present; block access if (authorization == null || authorization.isEmpty()) { requestContext.abortWith(ACCESS_DENIED); return; } // Get encoded username and password final String encodedUserPassword = authorization.get(0).replaceFirst(AUTHENTICATION_SCHEME + " ", ""); // Decode username and password String usernameAndPassword = new String(Base64.decodeBase64(encodedUserPassword)); // Split username and password tokens final StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":"); final String username = tokenizer.nextToken(); final String password = tokenizer.nextToken(); // Verify user access if (method.isAnnotationPresent(RolesAllowed.class)) { RolesAllowed rolesAnnotation = method.getAnnotation(RolesAllowed.class); Set<String> rolesSet = new HashSet<String>(Arrays.asList(rolesAnnotation.value())); // Is user valid? if (!isUserAllowed(username, password, rolesSet)) { requestContext.abortWith(ACCESS_DENIED); return; } } } }
@Override public void filter(ContainerRequestContext requestContext) { ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) requestContext .getProperty(RESOURCE_METHOD_INVOKER); Method method = methodInvoker.getMethod(); // Access allowed for all if (!method.isAnnotationPresent(PermitAll.class)) { // Access denied for all if (method.isAnnotationPresent(DenyAll.class)) { requestContext.abortWith(ACCESS_FORBIDDEN); return; } // Get request headers final MultivaluedMap<String, String> headersMap = requestContext.getHeaders(); // Fetch authorization header final List<String> authorizationList = headersMap.get(AUTHORIZATION_PROPERTY); // If no authorization information present; block access if (authorizationList == null || authorizationList.isEmpty()) { requestContext.abortWith(ACCESS_DENIED); return; } // Get encoded username and password final String encodedUserPassword = authorizationList.get(0).replaceFirst(AUTHENTICATION_SCHEME + " ", ""); // Decode username and password String usernameAndPassword = new String(Base64.decodeBase64(encodedUserPassword)); // Split username and password tokens final StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":"); final String userName = tokenizer.nextToken(); final String password = tokenizer.nextToken(); // Verify user access if (method.isAnnotationPresent(RolesAllowed.class)) { RolesAllowed rolesAnnotation = method.getAnnotation(RolesAllowed.class); Set<String> rolesSet = new HashSet<String>(Arrays.asList(rolesAnnotation.value())); // Is user valid? if (!isUserAllowed(userName, password, rolesSet)) { requestContext.abortWith(ACCESS_DENIED); return; } } } }