如何在Java中使用Jersey安全注释绕过servlet过滤器中的路径 [英] How to bypass path in servlet filter with Jersey security annotations in Java
问题描述
我使用Jersey实现了REST服务。为了提高安全性,我在REST方法中添加了泽西安全注释( @PermitAll , @DenyAll )。
I have implemented REST service using Jersey. To give more security, I have added jersey security annotation into REST method(@PermitAll, @DenyAll).
以下是我的示例REST服务:
Below is my sample REST service:
@GET
@Path("/getall")
@Produces(MediaType.APPLICATION_JSON)
@PermitAll
public String getChartSupportedData(@QueryParam("items") int result) {
// my code goes here
}
但问题是以前我用过 javax.servlet.Filter 过滤以验证URI。
But the problem is that previously I have used javax.servlet.Filter filter to validate URI.
web.xml:
<filter>
<filter-name>ApplicationFilter</filter-name>
<filter-class>web.filter.ApplicationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ApplicationFilter</filter-name>
<url-pattern>/rest/api/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ASYNC</dispatcher>
</filter-mapping>
根据访问一些REST服务, HttpServletRequest 应该包含一个有效的令牌(由应用程序生成)。
According to access some REST services, HttpServletRequest should contain a valid token (generated by the application).
某些REST端点不需要令牌来访问服务。在这种情况下,我必须在过滤器实现中绕过它:
Some REST end points doesn't require a token to access the service. In that case, I have to bypass that in filter implementation:
private static String[] bypassPaths = { "/data/getall" };
所以我的要求是这样的。
So my requirement is something like that.
如果我们将某些REST端点声明为 @PermitAll 该路径不应该在过滤器中声明为旁路路径没有有效令牌,任何人都可以访问它。
If we declared some REST end point as @PermitAll that path should not have declare in filter as bypass path so that anyone can access it without valid token.
但问题是,当请求进入服务器时,过滤器总是过滤,如果不在旁路阵列中,则请求不会继续,即使我声明为 @PermitAll 。
But the problem is that filter is always filtering when the request comes into server and, if it's not in the bypass array the request doesn't continue even I declared as @PermitAll.
我想知道是否可以将这两个安全选项合并到同一个Web应用程序中。
I would like to know if can I combine those two security options in same web application.
推荐答案
由于您正在执行身份验证和/或授权,我建议使用名称绑定过滤器,而不是servlet过滤器,因此您可以轻松地将它们绑定到您需要的资源。
Since you are performing authentication and/or authorization, instead of servlet filters I would recommend using name binding filters, so you can easily bind them to the resources you need.
为了将过滤器绑定到REST端点,JAX-RS提供了元注释 @NameBinding ,可以使用如下:
To bind filters to your REST endpoints, JAX-RS provides the meta-annotation @NameBinding and can be used as following:
@NameBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface Secured { }
@Secured 注释将用于装饰过滤器类,实现 ContainerRequestFilter ,允许您处理请求。
The @Secured annotation will be used to decorate a filter class, which implements ContainerRequestFilter, allowing you to handle the request.
ContainerRequestContext 可帮助您从HTTP请求中提取信息(有关详细信息,请查看 ContainerRequestContext API ):
The ContainerRequestContext helps you to extract information from the HTTP request (for more details, have a look at the ContainerRequestContext API):
@Secured
@Provider
@Priority(Priorities.AUTHENTICATION)
public class SecurityFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// Use the ContainerRequestContext to extract information from the HTTP request
// Information such as the URI, headers and HTTP entity are available
}
}
ContainerRequestFilter#filter() <如果用户未经过身份验证/授权,则/ a>方法是中止请求的好地方。为此,您可以使用 ContainerRequestContext#abortWith() 或抛出异常。
The ContainerRequestFilter#filter() method is a good place to abort the request if the user is not authenticated/authorized. To do it, you can use ContainerRequestContext#abortWith() or throw an exception.
@Provider 注释标记了在提供程序扫描阶段JAX-RS运行时应该可以发现的扩展接口的实现。
The @Provider annotation marks an implementation of an extension interface that should be discoverable by JAX-RS runtime during a provider scanning phase.
要将过滤器绑定到端点方法或类,请使用上面创建的 @Secured 注释对其进行注释。对于注释的方法和/或类,将执行过滤器。
To bind the filter to your endpoints methods or classes, annotate them with the @Secured annotation created above. For the methods and/or classes which are annotated, the filter will be executed.
@Path("/")
public class MyEndpoint {
@GET
@Path("{id}")
@Produces("application/json")
public Response myUnsecuredMethod(@PathParam("id") Long id) {
// This method is not annotated with @Secured
// The security filter won't be executed before invoking this method
...
}
@DELETE
@Secured
@Path("{id}")
@Produces("application/json")
public Response mySecuredMethod(@PathParam("id") Long id) {
// This method is annotated with @Secured
// The security filter will be executed before invoking this method
...
}
}
在上面的示例中,安全过滤器将仅针对 mySecuredMethod(Long)执行,因为它使用 @Secured 。
In the example above, the security filter will be executed only for mySecuredMethod(Long) because it's annotated with @Secured.
您可以拥有REST端点所需的尽可能多的过滤器。要确保过滤器的执行顺序,请使用 <$ c对其进行注释。 $ C> @priority 。
You can have as many filters as you need for your REST endpoints. To ensure the execution order of the filters, annotate them with @Priority.
强烈建议使用 优先级 类(将使用以下订单):
It's highly recommended to use one of the values defined in the Priorities class (the following order will be used):
AUTHENTICATIONAUTHORIZATIONENTITY_CODERHEADER_DECORATORUSER
如果您的过滤器未使用 @Priority ,过滤器将使用 USER 优先级。
If your filter is not annotated with @Priority, the filter will be executed with the USER priority.
您可以将此方法与结合使用泽西岛安全机制。
此外,你可以注入 ResourceInfo 。 com / javaee / 7 / api / javax / ws / rs / container / ContainerRequestFilter.htmlrel =nofollow> ContainerRequestFilter :
Additionally, you can inject ResourceInfo in your ContainerRequestFilter:
@Context
private ResourceInfo resourceInfo;
它可用于获取 方法 和 Class 哪个匹配使用请求的网址:
It can be used to get Method and Class which match with the requested URL:
Class<?> resourceClass = resourceInfo.getResourceClass();
Method resourceMethod = resourceInfo.getResourceMethod();
并从中提取注释:
Annotation[] annotations = resourceClass.getDeclaredAnnotations();
PermitAll annotation = resourceMethod.getAnnotation(PermitAll.class);
这篇关于如何在Java中使用Jersey安全注释绕过servlet过滤器中的路径的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
