Restlet with Spring

My first post is about to write a very simple authenticated rest server with :

An easy way to try this sample rest servlet is with jetty (
and the maven-jetty-plugin

We can use curl to make a rest request (

  • First, create the sample project structure with maven

    mvn archetype:generate -DgroupId=com.jgoday -DartifactId=restservlet -DarchetypeArtifactId=maven-archetype-webapp

    maven will create the following structure :


  • Edit pom.xml to add the project dependencies and restlet repository:
    • Spring and spring-security
    • Restlet

      We have to add the restlet repository (

        <name>Public online Restlet repository</name>
    • Jetty
      cglib dependency for jetty


      And configure the jetty plugin in the build section

  • We are going to create a sample REST resource (SampleResource)
    that will receive an user name and will return a ‘hello world’ xml representation

    First we have to describe the rest servlet in the web.xml file

    <!DOCTYPE web-app PUBLIC
     "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
     "" >
      <display-name>Sample rest servlet</display-name>
  • We define a rest servlet called ‘rest’ , so we need a rest-servlet.xml file to define the resources
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns=""
        <bean id="root" class="org.restlet.ext.spring.SpringRouter">
            <property name="attachments">
                    <entry key="/sample/{name}">
                        <bean class="org.restlet.ext.spring.SpringFinder">
                            <lookup-method name="createResource" bean="sampleResource" />
        <bean id="sampleResource" class="" scope="prototype" />
  • And now, define the sampleResource code that will return a xml with the output message
    import org.w3c.dom.Document;
    import org.w3c.dom.Element;
    import org.restlet.resource.DomRepresentation;
    import org.restlet.resource.Representation;
    import org.restlet.resource.Resource;
    import org.restlet.resource.Variant;
    public class SampleResource extends Resource
        public SampleResource ()
            this.getVariants ().add (new Variant (MediaType.TEXT_XML));
        public Representation represent (Variant variant)
            Representation resource = null;
            try {
                resource = new DomRepresentation (MediaType.TEXT_XML);
                Document doc = ((DomRepresentation) resource).getDocument ();
                Element root = doc.createElement ("message");
                root.setTextContent ("Hello world " +
                    this.getRequest ().getAttributes ().get ("name") + “!”);
                doc.appendChild (root);
                doc.normalizeDocument ();
            catch (Exception e) {
                e.printStackTrace ();
            return resource;
  • We can try it now with jetty and curl (to make the rest request):

    mvn package && mvn jetty:run
    curl -i -H "Accept: text/xml" -X GET http://localhost:8080/restservlet/rest/sample/tommy

    and we get

    <?xml version="1.0" encoding="UTF-8"><message>Hello world tommy!</message>
Now it’s time to add the security stuff

  • Add the spring security filter in web.xml
  • configure spring-security (in applicationContext.xml or other spring definition file)
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns=""
        <security:http-basic />
        <security:form-login />
        <security:intercept-url pattern="/**" access="ROLE_USER"  />
        <security:password-encoder hash="md5" />
          <security:user name="user"
                         authorities="ROLE_USER" />

we add security to all site, both http-basic and form authentication methods

And it’s done !

If we try to access with a browser, spring-security will automatically show a auth form:
spring auth form

And if we try again with curl, we should use an username and a password:

curl -i -H "Accept: text/xml" -X GET http://localhost:8080/restservlet/rest/sample/tommy -u user

curl auth

In the resource, if we want to get the user information, we can use SecurityContext


SecurityContext context = SecurityContextHolder.getContext ();
User user = (User) context.getAuthentication ().getPrincipal ();

Element userElement = doc.createElement ("user_info");
userElement.setTextContent (user.getUsername ());

  1. Thanks for your article. It is exactly what i am looking for.
    One question. How you handle security exception? i notice that it comes bad with html code? How can i make it xml?
    Apart from that, i see other companies actually gives away api key instead. How you would handle that?


      • jgoday
      • May 29th, 2009

      Hi, spring-security authomatically handles the exception returning the http error code and the message.
      For example, with QT, if the auth data is wrong we get
      the QNetworkReply::AuthenticationRequiredError and the message ‘server replied: Bad credentials’

      part from that, i see other companies actually gives away api key instead. How you would handle that?

      Do you mean ‘how to handle it with restlet ?’

  2. Hi,nice article. I m getting following exception while running it. I m using tomcat 6.0. Kindly help me in this regard

    java.lang.NoSuchMethodError: com.noelios.restlet.http.HttpServerCall.(Ljava/lang/String;I)V
    at com.noelios.restlet.ext.servlet.ServletCall.(
    at com.noelios.restlet.ext.servlet.ServletConverter.service(
    at com.noelios.restlet.ext.spring.RestletFrameworkServlet.doService(
    at org.springframework.web.servlet.FrameworkServlet.processRequest(
    at org.springframework.web.servlet.FrameworkServlet.doGet(
    at javax.servlet.http.HttpServlet.service(
    at javax.servlet.http.HttpServlet.service(
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(
    at org.apache.catalina.core.StandardWrapperValve.invoke(
    at org.apache.catalina.core.StandardContextValve.invoke(
    at org.apache.catalina.core.StandardHostValve.invoke(
    at org.apache.catalina.valves.ErrorReportValve.invoke(
    at org.apache.catalina.core.StandardEngineValve.invoke(
    at org.apache.catalina.connector.CoyoteAdapter.service(
    at org.apache.coyote.http11.Http11Processor.process(
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(

  3. I have solved my issue .Thanks a lot

      • jay
      • November 7th, 2011

      How did u solve this? i’am getting the same issue with servicemix and camel.

  4. Hi,

    I have gone through the example you provided on your website. and have a quick question. You have defined following code in your web.xml and also another file called rest-servlet.xml which again seems to be the spring beans file. What is the difference between them ?



    Also suppose in your resource you need another spring defined service how will you do that. and what all entries will you make in you respective xml files.

    Any help on this is highly appreciated.


      • jgoday
      • November 16th, 2009

      Unless you tell it specified, the RestletFrameworkServlet looks for a ‘Servlet name’.xml file to configure the rest resources.
      If i understand you well, you always can define more spring files,
      /WEB-INF/applicationContext-*.xml for example (applicationContext-dao.xml, applicationContext-services.xml …)

  5. Hi,

    Thanks a lot for providing this example. It helped me a lot. I was stuck using Restlet with Spring and your article helped. Thanks again.

  6. This was an extremely helpful blog. I appreciate you taking the time. I learned how to combine Restlets and Spring

  7. The tutorial is good. Just one correction:
    With configuration you outlined here the session will be created on the server side and associated with the client using cookie.
    When you implement REST services keep in mind that it’s stateless services(in most of the cases) and auth information should be passed on each request.
    To achieve it with spring security configuration you can add create-session=”never” attribute and replace http-form with http-basic authentication:

    • magic mesh
    • January 5th, 2013

    I was suggested this website by my cousin. I’m not sure whether this post is written by him as no one else know such detailed about my problem. You’re wonderful!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: