RESTEasy Security Checking

For some methods we want to check security before executing it. For example, to clean the history we want to assure that a specific user can do this. Of course we could do this using Jaas or some application server built in mechanism. In this case we will use an interceptor that will check the presence of a parameter in the request and validate it against a fixed String.

package org.mastertheboss.resteasy.resources.interceptors;

import java.lang.reflect.Method;


import org.jboss.resteasy.annotations.interception.ServerInterceptor;
import org.jboss.resteasy.core.Headers;
import org.jboss.resteasy.core.ResourceMethod;
import org.jboss.resteasy.core.ServerResponse;
import org.jboss.resteasy.spi.Failure;
import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.interception.AcceptedByMethod;
import org.jboss.resteasy.spi.interception.PreProcessInterceptor;

public class SecurityInterceptor implements PreProcessInterceptor,
        AcceptedByMethod {

    public boolean accept(Class c, Method m) {
        return m.getName().equals("clearAll");

    public ServerResponse preProcess(HttpRequest request, ResourceMethod method)
            throws Failure, WebApplicationException {
        ServerResponse response = null;

        String username = request.getFormParameters().get("username").get(0);
        // very simple security validation
        if (username == null || username.isEmpty()) {
            response = new ServerResponse(
                    "To access this method you need to inform an username",
                    401, new Headers<Object>());
        } else if (!"john".equals(username)) {
            response = new ServerResponse("User \"" + username
                    + "\" is not authorized to access this method.", 403,
                    new Headers<Object>());
        return response;

The logic of the interceptor is simple, we just create a server response according the content of the parameter “username”.

Running the code

You can download the attached a Maven project which contains the interceptors described in this article. You can build the code using the command mvn clean install and deploy it in JBoss AS 7. When you access the root context of this application it will be displayed a very simple HTML page aimed to test the JAX-RS methods we demonstrated.

JSR-339 is the specification for the second version of the “Java API for RESTful Web Services”. This new version of the JAX-RS API is covering Interceptors and Filters, but this specification is still in development. It’s possible to know more about this accessing the JSR 339 home page.
RESTEasy 3.0 will implement JAX-RS 2.0.


In this article we presented the RESTEasy interceptors model using a simple example. We also pointed that JAX-RS 2.0 will contain interceptors and filters, freeing us of implementations’ solutions. You can know more about RESTEasy in the project page.