Did a bit of refactoring of the SPIs to improve generics support among other bug fixes. A side effect to this is that there is now a programmatic interface that allows you to register un-annotated resource classes. Also, bumped Jackson to 1.9.12 and also added an additional Jackson2 provider. See docs for more details.
April 10, 2013
See jboss.org/resteasy for relevant links for downloads/documentation.
3.0-beta-4 is our last beta! Everything should be implemented. JAX-RS 2.0 Final is being voted on in the JCP. We’ll be obtaining the TCK soon and starting work on getting certified. There’s also some architectural work that needs to be finished for 3.0. We’ll have a short RC release sometime in May, then a 3.0 Final Release early June.
2.3.6 is just a maintenance release.
February 7, 2013
Resteasy 3.0-beta-3 has been released. Follow the links from our main jboss.org page to download and view the documentation. Here are the highlights:
- The latest and greatest from the master branch of the JAX-RS 2.0 spec. Many of the client builder SSL changes I introduced in 3.0-beta-2 have made it into the spec. Thanks Marek for giving the thumbs up on them.
- There are a few minor features of JAX-RS 2.0 we don’t have implemented yet. You’ll get a NotImplementedYetExceptoin if you invoke them.
Next I’ll be focusing on my book, implementing our missing features, refactoring, and general test coverage.
January 24, 2013
Resteasy 3.0-beta-2 has been released. Follow the links from our main jboss.org page to download and view the documentation. Here are the highlights:
- Added a new ResteasyClientBuilder class to make it easier to create HTTPS/SSL connections on the client side
- Extensive work on OAuth 2.0 support including tight AS7 integration.
- Turn an existing servlet-form-auth-based web application into an OAuth 2.0 provider.
- Provide Distributed Single-Sign-On (SSO) from a central authentication server. Log in once, and you can securely access any browser-based app configured to work in the domain.
- Provide Distributed Logout. Following one link from any application can log you out of all your distributed applications configured to use SSO.
- Web apps can interact securely with any remote restful service by forwarding access tokens through the standard Authorization header.
- Access tokens are digitally signed by the oauth2 framework and can be used to access any service configured to work in the domain. The tokens contain both identity and role mapping information. Because they are digitally signed, there’s no need to overload the central authentication server with each request to verify identity and to determine permissions.
What’s next for Resteasy? Next release I’ll be focusing on getting it up to date with the latest JAX-RS 2.0 snapshot. I also have to get started on my O’Reilly book.
November 21, 2012
I’ve been heavily prototyping a security solution for Resteasy code named Resteasy Skeleton Key. The solution has the following requirements:
- Central auth server
- Works with browsers.
- Works with machine clients (code).
- Single sign-on solution for simple web apps
- Granting permission to third-parties to access your resources.
- Maps well to the role-based security model of Java EE
- Optional client certificate support for increased security
- Supports SOA. Distributed applications that have complex interactions between different services.
- Cloud-ready authentication server/identity server.
- Integrate tightly and seemlessly to JBoss AS7
You can take a look at my code as it progresses. Here’s generally what I’m doing:
- OAuth Bearer Token authentication for machine-based clients.
- Bearer token will be our own extension to Json Web Token (JWT).
- Bearer tokens will be distributed using Json Web Signatures (JWS)
- Bearer tokens are issued for a user and also define role allowed for each distributed resource a user might interact with.
- OAuth 2.0 and our bearer token implementation will be used to provide browser single-sign-on.
- Oauth 2.0 and our bearer tokens will be used to provide browser authenticated third-party access grants. (What OAuth2 was actually designed to do).
- Client certificates can be required at any authentication point depending on how you configure things. Browser to IDP, Browser to resource, client to resource.
- Implementing an Authentication Server to support all this.
As of 11/21/2012, I have implemented a JAX-RS friendly JWS implementation. I have speced out and implemented our bearer tokens. I’ve written a LoginModule for AS7 that can perform OAuth2 Bearer token authentication using our bearer token format and JWS. Token format allows you to require SSL with client-certificates. If you have this enabled, it also supports the idea of a surrogate, that is, one principal performat a request on behalf of a specific user. Finally, I’ve started to scope out and implement an Identity/Authentication server to support all this stuff. This isn’t complete yet. I’ll document this stuff in more detail as I get closer to a beta release.
Relationship to Picketlink
The plan is to take this prototype and eventually work with the Picketlink project somehow later on. Either just to funnel requirements, use parts of picketlink, share code, or even have them fully take it over. The prototype will be fully functional, but will not have many persistence options or a management UI. There will be a REST management interface though. Whether or not a UI is introduced will be dependent on what the relationship with Picketlink ends up being.
October 30, 2012
Now that JAX-RS 2.0 is in Public Draft and has stabilized a bit, API-wise, we finally released Resteasy 3.0 Beta 1. This release implements almost all of the features defined in the JAX-RS 2.0 Public Draft. Many of the key features in Resteasy 2.x have now been standardized in JAX-RS 2.0. There’s a new client API which is similar (actually better) than the current Resteasy 2.x client API. Interceptors have been added to the spec. You’ll find that they map very closely to Resteasy’s. I pushed really hard for this. Finally, there’s the async HTTP apis. Also very similar to Resteasy’s. All and all, if you’re using some of these features currently within Resteasy, you shouldn’t have much problems migrating to the JAX-RS 2.0 equivalent APIs. The only thing we’re missing is the client proxy support, but I couldn’t get other experts to agree it was a good idea to add.
This beta has a few JAX-RS 2.0 examples with the distribution. The Resteasy documentation regarding JAX-RS 2.0 isn’t where I want it yet, but we’ll get there as we get closer to a final release of 3.0. To learn some of the new features, it may be best to take a look at some of the features within Resteasy that take advantage of these APIs. I’ve linked them all below.
- Intro to JAX-RS 2.0 Article
- JAX-RS 2.0 Public Draft Specification
- Resteasy 3.0-beta-1 Download
- Resteasy 3.0-beta-1 Docs
- Resteasy 3.0 client cache implementation code (to see how filters interceptors work on client side)
- Doseta digital signature headers (good use case or interceptors)
- File suffix content negotiation implementation (server-side filter example)
- Other server-side examples (cache-control annotations, gzip encoding, role-based security)
October 22, 2012
After a bit of delay, Resteasy 2.3.5 is finally out. It is pretty much a maintenance release. I want to thank Ron Sigal and Wei Nan Li. They did almost all the work for this release (minus patches submitted by users). Resteasy 3.0 beta later this week!
May 29, 2012
About 20+ issues fixed and implemented. Some highlights:
- Netty integration. Thanks to Norman Maurer
- Expanded Atom support for extension elements. Thanks to Kurt Stam
- O’Reilly examples implemented on top of JBoss AS7
- Zip patch that allows you to patch JBoss AS7 with latest Resteasy release
- Expanded support for @Form that allows prefixed/indexed @FormParam and also collections. (Docs are clearer on this). Thanks Maarten Winkel
Follow links from main Resteasy page to get to docs, downloads, and release notes.
May 21, 2012
I’ve extracted some of the build files from AS7 to create a maven project that can create a modules/ directory structure for Resteasy. I wanted this so that people can easily patch/upgrade AS7 to the latest resteasy release. It should be fairly easy to use the project as an archetype if you want to do it for other things.
May 1, 2012
A bunch of bug fixes. Also added a couple new features:
- A few people were asking for a servlet-free embedded HTTP engine. Integration with Sun JDK’s com.sun.net.HttpServer was added. See documentation for more details. Support for different HTTP engines is in the works.
- Support for some more formats of the Atom Publishing Protocol. Thanks to contribution from Kurt Stam.
Links to release notes, downloads, and documentation are available from the main Resteasy Web Page.