使用@RolesAllowed通过RESTEasy和Jackson过滤实体属性 [英] Using @RolesAllowed to filter entity properties with RESTEasy and Jackson
问题描述
使用RESTEasy和Jackson,是否可以在我的模型中使用 @RolesAllowed 注释,以避免某些属性在输出中被序列化,具体取决于角色用户?
With RESTEasy and Jackson, is it possible to use the @RolesAllowed annotation in my model, in order to avoid certain properties to be serialized in output, depending on the role of the user?
我已经找到了大量关于如何使用Jersey进行此操作的文档,但没有使用RESTEasy。
I already found a ton of documentation on how to do this with Jersey, but nothing with RESTEasy.
我在此体系结构上被阻止,因此切换库不是一个选项,并使用自定义的 ObjectMapper ,如此处也不是一个选项,因为模型足够大,足以使标记大型数据集的每个属性以进行正确的序列化过于耗时。另外,这是指杰克逊图书馆的旧版本,我不确定如何使其与新版本一起使用。
I'm blocked on this architecture so switching libraries is not an option, and using the custom ObjectMapper as explained here is not an option either, as the model is big enough to make it too time-consuming to mark every single property of a large dataset for correct serialization. Plus, this refers to an older version of the Jackson library and I'm not sure on how to make it work with the new version.
EDIT
具体见这篇博客文章了解我正在努力实现的目标。请注意,这是特定于Jersey的,到目前为止,我没有找到关于RESTEasy的文档来完成此任务。
Specifically see this blog post to understand what I'm trying to accomplish. Please note that this is Jersey-specific and so far I found no documentation on RESTEasy to accomplish this.
推荐答案
如果你不是愿意使用 @JsonView ,您可以考虑 @JsonFilter 。首先需要扩展 SimpleBeanPropertyFilter 并根据用户角色控制序列化:
If you are not willing to use @JsonView, you could consider @JsonFilter. You first need to extend SimpleBeanPropertyFilter and control the serialization according to the user roles:
public class RoleBasedPropertyFilter extends SimpleBeanPropertyFilter {
private String allowedRole;
public RoleBasedPropertyFilter(String allowedRole) {
this.allowedRole = allowedRole;
}
@Override
public void serializeAsField(Object pojo, JsonGenerator jgen,
SerializerProvider provider,
PropertyWriter writer) throws Exception {
PermitAll permitAll = writer.getAnnotation(PermitAll.class);
if (permitAll != null) {
serializeAsField(pojo, jgen, provider, writer);
return;
}
DenyAll denyAll = writer.getAnnotation(DenyAll.class);
if (denyAll != null) {
writer.serializeAsOmittedField(pojo, jgen, provider);
return;
}
RolesAllowed rolesAllowed = writer.getAnnotation(RolesAllowed.class);
if (rolesAllowed != null) {
if (!Arrays.asList(rolesAllowed.value()).contains(allowedRole)) {
writer.serializeAsOmittedField(pojo, jgen, provider);
return;
}
}
// If no annotation is provided, the property will be serialized
serializeAsField(pojo, jgen, provider, writer);
}
}
要将过滤器应用于某个bean,请对其进行注释使用 @JsonFilter(roleBasedPropertyFilter):
To apply the filter to a certain bean, annotate it with @JsonFilter("roleBasedPropertyFilter"):
@JsonFilter("roleBasedPropertyFilter")
public class User {
private String firstName;
private String lastName;
private String email;
private String password;
public String getFirstName() {
return firstName;
}
public String getLastName() {
return lastName;
}
@RolesAllowed({"ADMIN"})
public String getEmail() {
return email;
}
@DenyAll
public String getPassword() {
return password;
}
// Other getters and setters
}
然后在中注册您的过滤器<$ href =https://fasterxml.github.io/jackson-databind/javadoc/2.8/com/fasterxml/jackson/databind/ ContextResolver ObjectMapper.htmlrel =nofollow noreferrer> ObjectMapper :
String currentUserRole = // Get role from the current user
FilterProvider filterProvider = new SimpleFilterProvider()
.addFilter("roleBasedPropertyFilter",
new RoleBasedPropertyFilter(currentUserRole));
ObjectMapper mapper = new ObjectMapper();
mapper.setFilterProvider(filterProvider);
如果你想让你的过滤器全局 ,也就是说,要应用于所有bean,您可以创建一个混合类并使用 @JsonFilter(roleBasedPropertyFilter):
@JsonFilter("roleBasedPropertyFilter")
public class RoleBasedPropertyFilterMixIn {
}
然后将混合类绑定到对象 :
Then bind the mix-in class to Object:
mapper.addMixIn(Object.class, RoleBasedPropertyFilterMixIn.class);
这篇关于使用@RolesAllowed通过RESTEasy和Jackson过滤实体属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
