在Grizzly上使用JaaS和泽西岛 [英] Using JaaS with Jersey on Grizzly

问题描述

我正在尝试找到一种简单，灵活的方法来向REST添加JaaS身份验证。我找到了一个帖子，我认为这会引导我朝着正确的方向前行（请参阅StevenC的回答） 。听起来servlet容器负责安全性，而不是Jersey代码本身。我喜欢这个想法，但需要一些实施指导。

I'm trying to find a simple, flexible way to add JaaS authentication to REST. I found a post that I think leads me in the right direction (See StevenC's answer). It sounds like the servlet container is responsible for security, not the Jersey code itself. I like this idea, but need a little guidance on implementation.

Grizzly是我的servlet容器，我想配置它使用JaaS进行身份验证。现在，一个简单的用户名/密码组合就可以了，直接在代码中硬编码用户名/密码对就可以了。只要它使用JaaS，我们可以稍后改进这些细节。

Grizzly is my servlet container and I want to configure it to use JaaS for authentication. For now, a simple username/password combination would be fine, and hard-coding the username/password pairs directly in code is fine. As long as it uses JaaS, we can refine those details later.

就通过HTTP发送的内容而言，我认为存储cookie是最简单的使这一切工作的方法。无论如何使身份验证垃圾远离我的泽西岛代码。

As far as what is sent over HTTP, I'm thinking that storing a cookie would be the easiest way to make this all work. Whatever it takes to keep authentication junk away from my Jersey code.

以下是到目前为止启动Grizzly的代码：

Here's the code to start Grizzly so far:

final String baseUri = "http://localhost:9998/";
final Map initParams = new HashMap();

initParams.put("com.sun.jersey.config.property.packages", 
  "my.jersey.Service");

System.out.println("Starting grizzly...");
SelectorThread threadSelector = GrizzlyWebContainerFactory.create(baseUri, initParams);
System.out.println(String.format(
        "Jersey app started with WADL available at %sapplication.wadl\n"
  + "Try out %shelloworld\nHit enter to stop it...", baseUri, baseUri));                
System.in.read();
threadSelector.stopEndpoint();
System.exit(0);

如果整个过程有效，那么检查用户权限的最佳方法是什么？我可能希望我的REST代码在某些点实际验证权限。我是否走在正确的轨道上？有没有更简单的方法？指向教程的链接将是一个很好的答案。即使像我这样做而且有效这样的回答也会给我一个温暖的模糊，我正朝着正确的方向前进。

If this whole process works, what's the best way to check permissions for the user? I would probably want my REST code to actually validate permissions at certain points. Am I even on the right track? Is there an easier way? A link to a tutorial would be a great answer. Even an answer like "I did that and it worked" would give me a warm fuzzy that I'm heading in the right direction.

感谢您的帮助。

编辑：对StevenC评论的一些澄清：

Some clarifications for StevenC's comment:

• 你还想使用servlet吗？过滤器来保护您的资源？我将使用任何可以从Jersey代码中分离出身份验证详细信息的内容。它不一定是servlet过滤器。


• 配置它使用JaaS是什么意思？最初的计划是使用JaaS保护当前的API。下一阶段将是在线提供整个API。在API调用周围有一个Jersey包装器似乎是有道理的，但是保持身份验证由Grizzly处理。我相信Grizzly必须与JaaS互动。


• 您是否认为应该有一些配置只会导致灰熊保护您的资源？我正在考虑对用户进行身份验证和基于角色的两步流程，授权用户访问资源。我们的想法是让Grizzly处理身份验证（使用JaaS）和Jersey处理授权。


• 我认为不需要使用RESTful资源的cookie。删除cookie的使用会很棒，但如何实现呢？系统需要知道用户是否经过身份验证。我宁愿不要求他们为每个电话传递用户名/密码/等。甚至在每次调用时都将会话令牌作为参数传递似乎丑陋。

• Do you still want to use servlet filters to protect your resources? I'll use whatever can separate out the authentication detail from the Jersey code. It doesn't have to be servlet filters.
• What is mean by "configure it to use JaaS"? The original plan was to protect the current API using JaaS. The next phase would be to make the entire API available online. It seemed to make sense to have a Jersey wrapper around the API calls, but keep authentication handled by Grizzly. Grizzly would have to interact with JaaS at that point I believe.
• Are you thinking there should be some config that simply causes grizzly to protect your resources? I was considering a two-step process of authenticating the user and based on roles, authorizing the user to access resources. The idea was to have Grizzly handle authentication (using JaaS) and Jersey handle authorization.
• "I don't see the need for the usage of cookies with a RESTful resource." It would be wonderful to remove the use of cookies, but how can the be accomplished? The system needs to know if the user is authenticated. I'd rather not ask them to pass a username/password/etc for each call. Even passing a session token as a parameter with every call seems "ugly".

另外，请注意我是相当新的休息。我已经做了几年SOAP，所以我可能会有一个SOAP偏见，这可能会使我从一个每个人都使用的明显，简单的解决方案中眩目。如果有更简单的方法，请随时分享。我只是想尽可能地学习。

Also, please note that I'm fairly new to REST. I've been doing SOAP for a couple of years, so I may have a "SOAP bias" that may be blinding me from some obvious, simple solution that everyone uses. If there's an easier way, please feel free to share. I'm just trying to learn as much as possible.

推荐答案

我不完全清楚配置它是什么意思使用JaaS进行身份验证。如果有一个简单的配置让灰熊强制执行HTTP身份验证保护URL，我不知道它。

I'm not entirely clear what is meant by "configure it to use JaaS for authentication". If there's a simple configuration to have grizzly enforce HTTP authentication protecting URLs, I don't know about it.

我假设从另一个问题并回答你的参考你想使用servlet过滤器。通常，这是在servlet项目的web.xml文件中配置的。 Grizzly当然经常用于从代码启动服务器而不是应用程序配置。当我以这种方式使用grizzly时，我注意到GrizzlyWebContainerFactory没有提供允许你指定servlet过滤器的任何版本的create（）。但是我确实注意到同一个项目中的ServletAdapter [1]确实能够提供这种能力。

I'm assuming from the other question and answer you reference that you want to use a servlet filter. Normally that's configured in the web.xml file of a servlet project. Grizzly is of course often used to start up a server from code as opposed to application config. When I used grizzly in this way I noticed that GrizzlyWebContainerFactory didn't offer any versions of create() that allowed you to specify servlet filters. However I did notice ServletAdapter [1] in the same project that does give you that ability.

至于过滤器本身，我很遗憾不知道预先构建的servlet过滤器只需将JaaS配置的登录模块插入您的应用程序，因此您可能需要在那里编写一些代码。不过，只需选择基于HTTP的身份验证方法（例如HTTP BASIC，DIGEST等），相应地从请求中提取凭据，然后使用JaaS框架登录。我没有看到RESTful资源特别需要cookie。 RESTful建筑风格在保持会话时皱眉。有很多关于JaaS的教程，所以我不会在这里详细说明。

As for the filter itself, I unfortunately don't know of a pre-built servlet filter that simply plugs JaaS configured login modules into your application, so you'll likely have to write a bit of code there. It's not much though, just choose the HTTP based authentication method (e.g. HTTP BASIC, DIGEST, etc.), extract credentials from the request accordingly, and login using the JaaS framework. I don't see that a cookie would specifically be needed for RESTful resources. The RESTful architectural style frowns upon keeping sessions. There are plenty of tutorials about JaaS otherwise, so I won't elaborate on that here.

一旦JaaS主题处于活动状态（消费者成功登录），你可以简单地获得使用Subject.getSubject方法检查当前主题并检查活动主体和凭据。

Once a JaaS subject is active (consumer successfully logged in) you can simply get the current subject and check the active principals and credentials using the Subject.getSubject method.

无论如何，这个答案专门用于提供有关使用auth进行身份验证的更多详细信息。 servlet过滤器，正如您在其他（链接）问题中所请求的那样。这不一定是在球衣webapp中进行身份验证的唯一方法，但这是一种相当简单的方法。我喜欢它，因为它阻止我在每个需要它的资源中注入重复的auth代码。

Anyway, this answer is specifically to give a bit more of the details around doing auth with servlet filters, as you requested in the other (linked) question. This isn't necessarily the only way to do auth in a jersey webapp, but it's a fairly straightforward way to do it. I like it because it keeps me from injecting repetitive auth code in each resource that needs it.

[1] https://grizzly.dev.java.net/nonav/apidocs/com/sun/grizzly /http/servlet/ServletAdapter.html

这篇关于在Grizzly上使用JaaS和泽西岛的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！