JAX-RS访问控制 [英] JAX-RS access control

问题描述

有人可以向我提供一些有关JAX-Rs Web服务中访问控制的指针吗?例如根据用户凭证或名称或任何其他条件限制访问.在sun手册中找不到任何有用的信息.

Can some one provide me some pointers about access control in JAX-Rs web services. e.g. limiting access on the basis of user credentials, or name or any other criteria. Could not find any useful information in the sun manuals.

预先感谢， Adhir

Thanks in advance, Adhir

推荐答案

我个人使用Spring安全性来完成此任务. Spring安全性可轻松使用各种身份验证和授权方案(例如，通过针对数据库或LDAP服务器检查来自HTTP请求的基本/摘要标头). JAX-RS 设置起来并不难，并且它还具有基于漂亮方面的权限系统，您可以在其中进行类似

I personally use Spring security to accomplish this. Spring security allows for easy use of various authentication and authorizations schemes (E.g. by checking the basic/digest headers from the HTTP request against a database or LDAP server). It's not to hard to set up with JAX-RS and also has a nifty aspect based rights system where you can do stuff like

@PreAuthorize("hasRole('ROLE_ADMIN')或order.customer.username == user.username) deleteOrder(Order order);

@PreAuthorize("hasRole('ROLE_ADMIN') or order.customer.username == user.username) deleteOrder(Order order);

确保已通过身份验证的用户必须位于 ROLE_ADMIN 组中，或者是订单的所有者才能被删除.

which ensures that a authenticated user must either be in the ROLE_ADMIN group or be the owner of the order to be allowed to delete it.

配置了此功能后，您在 JAX-RS 资源中所要做的就是从春季处理Security异常并采取适当的措施(例如，通过抛出 WebApplicationException strong>，如此处)

When this is configured all you have to do in your JAX-RS resource is to handle the Security exception from spring and take the appropriate action (fx. by throwing a WebApplicationException as described here)

这篇关于JAX-RS访问控制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！