使用角色注释进行保护不起作用(Jersey) [英] Securing with roles annotations not working (Jersey)

问题描述

即使我以前在这里找到过很多解决问题的方法，我还是这里的新手.

I'm new here even though I've found many answers to my problems in here before.

现在，我正在寻求帮助:我的小REST API上有这个小示例资源:

Now I'm looking for help with this: I have this little example resource on my little REST API:

@Path("/greeting")
@PermitAll
public class HelloResource {

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    @Path("all")
    public String sayHelloToAll() {
        return "Hello, everybody!";
    }

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    @RolesAllowed("admin")
    @Path("admin")
    public String sayHelloToAdmin() {
        return "Hello, admin!";
    }
}

为了过滤角色，我对SecurityContext进行了以下实现:

In order to filter roles, I have this implementation of SecurityContext:

public class Authorizer implements SecurityContext {

    @Override
    public String getAuthenticationScheme() {
        return null;
    }

    @Override
    public Principal getUserPrincipal() {
        return null;
    }

    @Override
    public boolean isSecure() {
        return false;
    }

    @Override
    public boolean isUserInRole(String role) {
        return true;
    }
}

以及ContainerRequestFilter的此实现:

And this implementation of ContainerRequestFilter:

@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthorizationFilter implements ContainerRequestFilter {

    @Override
    public void filter(ContainerRequestContext requestContext) throws IOException {
        requestContext.setSecurityContext(new Authorizer());
    }
}

这是我的应用程序类:

@ApplicationPath("/")
public class Application extends ResourceConfig {

    public Application() {
        super(HelloResource.class);
        register(AuthorizationFilter.class);
        register(RolesAllowedDynamicFeature.class);        
    }
}

有了这一切，当我请求URI问候语/全部时，一切正常，字符串你好，大家好！"显示.但是，当我请求URI问候语/admin时(即使我的isUserInRole方法始终返回true)，也永远不会调用它，当具有admin角色的用户请求它时应调用它.实际上，始终会调用我的filter方法，但永远不会调用我的isUserInRole方法.

With all this, when I request the URI greeting/all, everything is ok, the string "Hello, everybody!" is shown. But when I request the URI greeting/admin, which should be called when an user in admin role requests it, is never invoked, even when my isUserInRole method always returns true. In fact, my filter method is always called, but my isUserInRole method is never called.

我遵循了很多建议:

SecurityContext不适用于@RolesAllowed

使用RolesAllowedDynamicFeature和Jersey授权

如何访问由@RolesAllowed保护的Jersey资源

REST令牌的最佳做法JAX-RS和Jersey进行基于身份的验证

但是它似乎没有任何作用.

But it doesn't seem to work with anything.

有人可以帮助我吗?我不知道我缺少什么

Can anyone please help me? I don't know is there is something I am missing

谢谢大家.

当我请求URI问候语/管理员时，我得到了403 Forbiden(我忘记说了)

When I request the URI greeting/admin I get 403 Forbiden by the way (I forgot to say that)

推荐答案

看看

Take a look at the source code for the RoleAllowedRequestFilter. When a user is authenticated, it is expected that there be an associated Principal. The filter checks it here

if (rolesAllowed.length > 0 && !isAuthenticated(requestContext)) {
    throw new ForbiddenException(LocalizationMessages.USER_NOT_AUTHORIZED());
}
...
private static boolean isAuthenticated(final ContainerRequestContext requestContext) {
    return requestContext.getSecurityContext().getUserPrincipal() != null;
}

因此，您需要在SecurityContext的getUserPrincipal中返回Principal

So you need to return a Principal in the getUserPrincipal of the SecurityContext

@Override
public Principal getUserPrincipal() {
    return new Principal() {
        @Override
        public String getName() {
            return "Some Name";
        }
    };
}

这篇关于使用角色注释进行保护不起作用(Jersey)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！