All Web servers and Java Servlet Containers provide a security infrastructure that provides consistent shared identity management across all deployed Web applications. Each Web application contains a deployment descriptor file that can be edited to declare its specific security requirements to the Java container. As the Web application runs in the container, the declared policy is used to authenticate users and authorize users to the resources that make up the Web service. These security constraints can specify the type of user authentication and what user role membership is required before the container will grant access to the application's URI space.
The resulting authenticated user-id and roles are then supplied to the REST applications security layer for fine grained URI and method authorization to individual REST resources. In this way the production administrator can choose the strength of user authentication and coordinate it across all deployed Web applications.
The production administrator configures user authentication and role membership in the REST application's deployment descriptor in order to share the same user accounts and authentication mechanism across all Web applications hosted in the Java container
A template security configuration will be included in the REST manager and adapter that will simplify using Java container security. See the Java Servlet Specification and your Java container documentation for more details on implementing security for REST applications.
