Document how to use Jersey with Spring Security's method security

wilkinsona · wilkinsona · commit 0c55c54cb716 · 2018-05-15T10:10:19.000+01:00
Closes gh-12995
diff --git a/spring-boot-docs/src/main/asciidoc/howto.adoc b/spring-boot-docs/src/main/asciidoc/howto.adoc
@@ -1485,6 +1485,30 @@ that is compatible with Thymeleaf 3.0.
 
 
 
+[[howto-jersey]]
+== Jersey
+
+
+
+[[howto-jersey-spring-security]]
+=== Secure Jersey endpoints with Spring Security
+Spring Security can be used to secure a Jersey-based web application in much the same
+way as it can be used to secure a Spring MVC-based web application. However, if you want
+to use Spring Security's method-level security with Jersey, you must configure Jersey to
+use `setStatus(int)` rather `sendError(int)`. This prevents Jersey from committing the
+response before Spring Security has had an opportunity to report an authentication or
+authorization failure to the client.
+
+The `jersey.config.server.response.setStatusOverSendError` must be set to `true` on the
+application's `ResourceConfig` bean, as shown in the following example:
+
+[source,java,indent=0]
+----
+include::{code-examples}/jersey/JerseySetStatusOverSendErrorExample.java[tag=resource-config]
+----
+
+
+
 [[howto-http-clients]]
 == HTTP clients
 
diff --git a/spring-boot-docs/src/main/java/org/springframework/boot/jersey/JerseySetStatusOverSendErrorExample.java b/spring-boot-docs/src/main/java/org/springframework/boot/jersey/JerseySetStatusOverSendErrorExample.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright 2012-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.jersey;
+
+import java.util.Collections;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.glassfish.jersey.server.ResourceConfig;
+
+import org.springframework.stereotype.Component;
+
+/**
+ * Example configuration for a Jersey {@link ResourceConfig} configured to use
+ * {@link HttpServletResponse#setStatus(int)} rather than
+ * {@link HttpServletResponse#sendError(int)}.
+ *
+ * @author Andy Wilkinson
+ */
+public class JerseySetStatusOverSendErrorExample {
+
+	// tag::resource-config[]
+	@Component
+	public class JerseyConfig extends ResourceConfig {
+
+		public JerseyConfig() {
+			register(Endpoint.class);
+			setProperties(Collections.singletonMap(
+					"jersey.config.server.response.setStatusOverSendError", true));
+		}
+
+	}
+	// end::resource-config[]
+
+	static class Endpoint {
+
+	}
+
+}
