SecurityContext不适用于@RolesAllowed [英] SecurityContext doesn't work with @RolesAllowed
问题描述
我目前正在Tomcat 7中使用Jersey 2.5.1创建后端服务器。为了安全起见,我使用 @RolesAllowed
, @PermitAll
等注释,我创建了自定义 ContainerRequestFilter
和 SecurityContext
。
I'm currently creating a backend server using Jersey 2.5.1 in a Tomcat 7. For the security I'm using the @RolesAllowed
, @PermitAll
etc. annotations, and I have created my custom ContainerRequestFilter
and SecurityContext
.
我的问题是,当我的 @RolesAllowed
注释资源被请求时,它总是拒绝许可,即使我强迫我的 isUserInRole(role)
返回 true的方法
。但是,我的过滤器
方法被调用。你有什么建议吗?我将在下面粘贴一些相关代码。
My problem is that when my @RolesAllowed
annotated resource is requested it always denies permission, even if I force my isUserInRole(role)
method to return true
. However, my filter
method gets called. Do you have any suggestions? I'll paste some relevant code below.
我的 ContainerRequestFilter
实施:
public class AuthorizationFilter implements ContainerRequestFilter
{
@Override
public void filter(ContainerRequestContext request) throws IOException
{
request.setSecurityContext(new Authorizer());
}
}
我的 SecurityContext
实现:
public class Authorizer implements SecurityContext
{
@Override
public String getAuthenticationScheme() {
return null;
}
@Override
public Principal getUserPrincipal() {
return null;
}
@Override
public boolean isSecure() {
return false;
}
@Override
public boolean isUserInRole(String role) {
return true;
}
}
我的资源:
@Path("/secure")
public class TestSecureResource {
@GET
@PermitAll
@Path("/nonsec_test/{text}")
public Response nonSecureTest(
@PathParam("text") String text){
return Response.status(200).entity(text).build();
}
@GET
@RolesAllowed("admin")
@Path("/sec_test/{text}")
public Response secureTest(
@PathParam("text") String text){
return Response.status(200).entity(text).build();
}
}
我的 ResourceConfig
:
@ApplicationPath("/")
public class MyApplication extends ResourceConfig {
public MyApplication() {
super(TestSecureResource.class);
register(RolesAllowedDynamicFeature.class);
register(AuthorizationFilter.class);
}
}
我的网页的相关部分.xml
:
<servlet-name>Jersey Web Application</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>pkg.backend</param-value>
</init-param>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>pkg.backend.MyApplication</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
在这种特定情况下,我访问 secureTest
总是被拒绝。澄清事情;我收到HTTP状态码403 - 禁止。
In this specific case, my access to secureTest
is always denied. To clarify things; I'm getting HTTP status code 403 - Forbidden.
提前谢谢你们
推荐答案
确保在 MyApplication
中注册了 AuthorizationFilter
(参见在Jersey 2注册资源和提供商)或使用 @Provider 进行注释(通过包扫描可以发现它。)
Make sure you have your AuthorizationFilter
either registered in your MyApplication
(see Registering Resources and Providers in Jersey 2) or annotated with @Provider (to make it discoverable by package scanning).
为了使用安全注释(包 javax.annotation.security
)限制访问您需要注册的资源 RolesAllowedDynamicFeature 。
In order to use security annotations (package javax.annotation.security
) to restrict access to your resources you need to register RolesAllowedDynamicFeature.
您的 AuthorizationFilter
还必须使用 @PreMatching
进行注释,这意味着在匹配阶段(uri)之前调用过滤器 - >资源)。否则, RolesAllowedDynamicFeature
注册的过滤器(在此阶段调用)将看不到自定义 SecurityContext
。
Your AuthorizationFilter
has to be also annotated with @PreMatching
which means that the filter is invoked before matching phase (uri -> resource). Otherwise filters registered by RolesAllowedDynamicFeature
(invoked during this phase) won't see the custom SecurityContext
.
泽西岛用户指南 - 授权 - 保护资源
Jersey User Guide - Authorization - securing resources
这篇关于SecurityContext不适用于@RolesAllowed的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!