Rexster Security

spmallette edited this page Dec 12, 2012 · 7 revisions

Rexster supports a simple authentication model allowing configuration through rexster.xml. The model is extensible to allow Rexster users to plug-in their own security implementations with relative ease. The authentication process extends across all aspects of Rexster to include REST, Dog House and Rexster Console access.

From a REST and Dog House perspective, Rexster supports Basic Authentication with the default configuration:

To make a REST API call to Rexster with authentication turned on:
curl -H "Authorization:Basic cmV4c3RlcjpyZXhzdGVy" http://localhost:8182/graphs

To prepare the request above, the user name is appended with a colon and concatenated with the password. The resulting string is encoded with the Base64 algorithm. For example, given the user name rexster and password rexster, the string rexster:rexster is Base64 encoded, resulting in cmV4c3RlcjpyZXhzdGVy. In the case of Dog House, the browser will produce an authentication dialog box to capture the username and password.

Custom Authentication

The default security model for Rexster that utilizes rexster.xml to house the usernames and passwords may not be the right choice for every environment. It is possible to develop a plug-in to Rexster to implement your own custom approach to validating a user’s credentials.

Create a class that extends the AbstractSecurityFilter. This class will require the implementation of three methods:

public boolean authenticate(final String username, final String password){

public void configure(final XMLConfiguration configuration) {

public String getName() {

The authenticate method is the important one. For each request, a call will be made to this method. Validate the username and password combination in the appropriate manner for the implementation (ie. connect to a database via JDBC) and return true if the the username and password combination are acceptable and false otherwise.

The configure method provides the means to access configuration information passed in from rexster.xml. This would obviously be useful for a JDBC-based solution where database connectivity information could be set in rexster.xml and passed in to this method at startup of Rexster. Rexster will pass in the contents of the <configuration> section of rexster.xml.

The getName method is fairly simple. It is just a name used for labeling of the implementation.

Make this class available in the Rexster classpath by copying it to Rexster’s REXSTER_HOME/ext directory (just like Rexster Extensions).

The final step is to configure rexster.xml to use the custom security extension. Set the value of the <security><authentication><type> element to the fully qualified class name of the AbstractSecurityFilter implementation.