Resteasy 3.0-beta-4 and 2.3.6.Final Released

1 Comment

See for relevant links for downloads/documentation.

3.0-beta-4 is our last beta!  Everything should be implemented.  JAX-RS 2.0 Final is being voted on in the JCP.  We’ll be obtaining the TCK soon and starting work on getting certified.  There’s also some architectural work that needs to be finished for 3.0.  We’ll have a short RC release sometime in May, then a 3.0 Final Release early June.

2.3.6 is just a maintenance release.

Resteasy 3.0-beta-3 – Latest Spec Updates

1 Comment

Resteasy 3.0-beta-3 has been released.  Follow the links from our main page to download and view the documentation.  Here are the highlights:

  • The latest and greatest from the master branch of the JAX-RS 2.0 spec.  Many of the client builder SSL changes I introduced in 3.0-beta-2 have made it into the spec.  Thanks Marek for giving the thumbs up on them.
  • There are a few minor features of JAX-RS 2.0 we don’t have implemented yet.  You’ll get a NotImplementedYetExceptoin if you invoke them.

Next I’ll be focusing on my book, implementing our missing features, refactoring, and general test coverage.


Resteasy 3.0-beta-2 Released with New OAuth 2.0 Features


Resteasy 3.0-beta-2 has been released.  Follow the links from our main page to download and view the documentation.  Here are the highlights:

  • Added a new ResteasyClientBuilder class to make it easier to create HTTPS/SSL connections on the client side
  • Extensive work on OAuth 2.0 support including tight AS7 integration.

You can find out more about our OAuth 2.0 stuff here, and the distribution comes with an extensive example.  Here’s the overall features of it:

  • Turn an existing servlet-form-auth-based web application into an OAuth 2.0 provider.
  • Provide Distributed Single-Sign-On (SSO) from a central authentication server. Log in once, and you can securely access any browser-based app configured to work in the domain.
  • Provide Distributed Logout. Following one link from any application can log you out of all your distributed applications configured to use SSO.
  • Web apps can interact securely with any remote restful service by forwarding access tokens through the standard Authorization header.
  • Access tokens are digitally signed by the oauth2 framework and can be used to access any service configured to work in the domain. The tokens contain both identity and role mapping information. Because they are digitally signed, there’s no need to overload the central authentication server with each request to verify identity and to determine permissions.

What’s next for Resteasy?  Next release I’ll be focusing on getting it up to date with the latest JAX-RS 2.0 snapshot.  I also have to get started on my O’Reilly book.

Scoping out Resteasy Skeleton Key Security

Leave a comment

I’ve been heavily prototyping a security solution for Resteasy code named Resteasy Skeleton Key. The solution has the following requirements:

  • Central auth server
  • Works with browsers.
  • Works with machine clients (code).
  • Single sign-on solution for simple web apps
  • Granting permission to third-parties to access your resources.
  • Maps well to the role-based security model of Java EE
  • Optional client certificate support for increased security
  • Supports SOA.  Distributed applications that have complex interactions between different services.
  • Cloud-ready authentication server/identity server.
  • Integrate tightly and seemlessly to JBoss AS7


The Implementation

You can take a look at my code as it progresses.  Here’s generally what I’m doing:

  • OAuth Bearer Token authentication for machine-based clients.
  • Bearer token will be our own extension to Json Web Token (JWT).
  • Bearer tokens will be distributed using  Json Web Signatures (JWS)
  • Bearer tokens are issued for a user and also define role allowed for each distributed resource a user might interact with.
  • OAuth 2.0 and our bearer token implementation will be used to provide browser single-sign-on.
  • Oauth 2.0 and our bearer tokens will be used to provide browser authenticated third-party access grants.  (What OAuth2 was actually designed to do).
  • Client certificates can be  required at any authentication point depending on how you configure things.  Browser to IDP, Browser to resource, client to resource.
  • Implementing an Authentication Server to support all this.

As of 11/21/2012, I have implemented a JAX-RS friendly JWS implementation.  I have speced out and implemented our bearer tokens.  I’ve written a LoginModule for AS7 that can perform OAuth2 Bearer token authentication using our bearer token format and JWS.  Token format allows you to require SSL with client-certificates.  If you have this enabled, it also supports the idea of a surrogate, that is, one principal performat a request on behalf of a specific user.  Finally, I’ve started to scope out and implement an Identity/Authentication server to support all this stuff.  This isn’t complete yet.  I’ll document this stuff in more detail as I get closer to a beta release.


Relationship to Picketlink

The plan is to take this prototype and eventually work with the Picketlink project somehow later on.  Either just to funnel requirements, use parts of picketlink, share code, or even have them fully take it over.  The prototype will be fully functional, but will not have many persistence options or a management UI.  There will be a REST management interface though.  Whether or not a UI is introduced will be dependent on what the relationship with Picketlink ends up being.


Resteasy 3.0 Beta 1, JAX-RS 2.0 Preview


Now that JAX-RS 2.0 is in Public Draft and has stabilized a bit, API-wise, we finally released Resteasy 3.0 Beta 1.  This release implements almost all of the features defined in the JAX-RS 2.0 Public Draft.  Many of the key features in Resteasy 2.x have now been standardized in JAX-RS 2.0.  There’s a new client API which is similar (actually better) than the current Resteasy 2.x client API.  Interceptors have been added to the spec.  You’ll find that they map very closely to Resteasy’s.  I pushed really hard for this.  Finally, there’s the async HTTP apis.  Also very similar to Resteasy’s.  All and all, if you’re using some of these features currently within Resteasy, you shouldn’t have much problems migrating to the JAX-RS 2.0 equivalent APIs.  The only thing we’re missing is the client proxy support, but I couldn’t get other experts to agree it was a good idea to add. 😦

This beta has a few JAX-RS 2.0 examples with the distribution.  The Resteasy documentation regarding JAX-RS 2.0 isn’t where I want it yet, but we’ll get there as we get closer to a final release of 3.0.  To learn some of the new features, it may be best to take a look at some of the features within Resteasy that take advantage of these APIs.  I’ve linked them all below.

Resteasy 2.3.5 Released


After a bit of delay, Resteasy 2.3.5 is finally out.  It is pretty much a maintenance release.  I want to thank Ron Sigal and Wei Nan Li.  They did almost all the work for this release (minus patches submitted by users).  Resteasy 3.0 beta later this week!

Go to Resteasy website for links on how to download, you can check out the release notes too.

Resteasy 2.3.4 Released

Leave a comment

About 20+ issues fixed and implemented.  Some highlights:

  • Netty integration.  Thanks to Norman Maurer
  • Expanded Atom support for extension elements.  Thanks to Kurt Stam
  • O’Reilly examples implemented on top of JBoss AS7
  • Zip patch that allows you to patch JBoss AS7 with latest Resteasy release
  • Expanded support for @Form that allows prefixed/indexed @FormParam and also collections.  (Docs are clearer on this). Thanks Maarten Winkel

Follow links from main Resteasy page to get to docs, downloads, and release notes.


Older Entries Newer Entries

%d bloggers like this: