Access Control


Authentication in your Limberest service is enforced by overriding isAuthenticationRequired(). Here’s how the limberest-demo MoviesService requires authentication for all HTTP methods except GET:

    public boolean isAuthenticationRequired(Request<JSONObject> request) {
        return request.getMethod() != HttpMethod.GET;


Authorization is governed by getRolesAllowedAccess(). MovieService requires the role “Deleters” in order to perform a DELETE operation.

    public List<String> getRolesAllowedAccess(Request<JSONObject> request) {
        if (request.getMethod() == HttpMethod.DELETE) {
            List<String> roles = new ArrayList<>();
            return roles;
        return null; // access is not restricted for other operations

This combination means that in limberest-demo, user credentials are not required to retrieve movies, but they are required to create, update or delete. Furthermore, even authenticated users require membership in the “Deleters” role to be able to delete a movie.

Tomcat Setup

The user named regular in the following tomcat-users.xml sample is able to create and update movies in limberest-demo, but is prohibited from deleting movies.

<tomcat-users version="1.0" xmlns=""
  xsi:schemaLocation=" tomcat-users.xsd">
  <role rolename="Deleters"/>
  <user username="deleter" password="iamdeleter" roles="Deleters"/>
  <user username="regular" password="norolesforme" />

With this setup, only user deleter is allowed to delete.

Next Topic: Configuration