How to Secure RESTful Web Services with Jakarta EE Authentication

This tutorial demonstrates how to protect a RESTful web service using Jakarta EE Authentication.

Prepare the Development Environment

Install JDK 11 or newer (tested with JDK 11 and 17).

Install a Jakarta EE‑compatible application server (e.g., WildFly).

Install Maven 3 or newer (SDKMan can be used for installation).

Create a New Project with Jakarta EE Eclipse Starter

Visit https://start.jakarta.ee and select the desired Jakarta EE version (8, 9.1, or 10) and profile (Platform or Web/Core).

Choose Jakarta EE 10 Platform, Java SE 11, and WildFly as the runtime.

Generate the project, which provides a Maven wrapper and sample code.

Project Structure

.
├── README.md
├── mvnw
├── mvnw.cmd
├── pom.xml
└── src
    └── main
        ├── java
        │   └── org
        │       └── eclipse
        │           └── jakarta
        │               └── hello
        │                   ├── Hello.java
        │                   └── HelloWorldResource.java
        └── webapp
            ├── WEB-INF
            │   └── web.xml
            ├── images
            │   └── jakartaee_logo.jpg
            └── index.html

Run the application with the Maven wrapper (Unix) or Maven directly:

$ chmod +x mvnw
$ ./mvnw clean package wildfly:run

$ mvn clean package wildfly:run

Access the service at http://localhost:8080/jakartaee-hello-world.

Configure Jakarta Authentication

Add a security constraint, login configuration, and security role to web.xml to enable HTTP Basic authentication for the /rest/* path:

<security-constraint>
   <web-resource-collection>
      <web-resource-name>Protected REST Service</web-resource-name>
      <url-pattern>/rest/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
      <role-name>user</role-name>
   </auth-constraint>
</security-constraint>
<login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>ApplicationRealm</realm-name>
</login-config>
<security-role>
   <role-name>user</role-name>
</security-role>

The constraint defines which URLs are protected, the auth‑constraint limits access to the user role, and the login‑config sets BASIC authentication with the realm ApplicationRealm.

Authorization Annotations

@RolesAllowed("user")

– permits only the user role. @DenyAll – denies all roles. @PermitAll – allows all roles. @RunAs – runs the method under a specified security identity.

Apply @RolesAllowed("user") to the REST resource method:

@Path("hello")
public class HelloWorldResource {
   @GET
   @RolesAllowed("user")
   @Produces({ MediaType.APPLICATION_JSON })
   public Hello hello(@QueryParam("name") String name) {
      if (name == null || name.trim().isEmpty()) {
         name = "world";
      }
      return new Hello(name);
   }
}

Define Users and Roles in WildFly

In an embedded WildFly setup, the property files are located under target/server/standalone/configuration: application-users.properties – stores usernames and hashed passwords. application-roles.properties – maps users to roles.

Use the add-user.sh (or add-user.bat on Windows) script to create a new application user:

$ ./add-user.sh
What type of user do you wish to add?
  a) Management User (mgmt-users.properties)
  b) Application User (application-users.properties)
(a): b
Enter the details of the new user to add.
Using realm 'ApplicationRealm' as discovered from the existing property files.
Username : your_username
Password : your_password
Re-enter Password : your_password
What roles do you want this user to belong to? [...] : your_role

Replace your_username, your_password, and your_role with actual values. Restart WildFly after adding the user.

Test the Protected Service

Without credentials, a curl request returns 401 Unauthorized:

$ curl -v http://localhost:8080/jakartaee-hello-world/rest/hello
... HTTP/1.1 401 Unauthorized ...

Provide the credentials to obtain the JSON response:

$ curl --user username:password http://localhost:8080/jakartaee-hello-world/rest/hello
{ "hello": "world" }

Conclusion

You have learned how to secure a Jakarta EE RESTful service using HTTP Basic authentication, configure security constraints in web.xml, define users and roles in WildFly, and test the protection with curl. In production, store credentials in a database or LDAP and use HTTPS for transport security.