RESTEasy支持JAX-RS @RolesAllowed [英] RESTEasy support for JAX-RS @RolesAllowed
问题描述
我已经花了数小时在嵌入式Jetty 9.1.0.v20131115和RESTEasy 3.0.5.Final中安装自定义登录服务.我的登录服务将在数据库中查找用户并为其分配角色.看起来像这样:
I've spend hours installing a custom login service in embedded Jetty 9.1.0.v20131115 and RESTEasy 3.0.5.Final. My login service will look users up in a database and assign them roles. It looks something like this:
final Constraint restConstraint = new Constraint();
restConstraint.setName(Constraint.__BASIC_AUTH);
restConstraint.setRoles(new String[]{"user", "admin");
restConstraint.setAuthenticate(true);
final ConstraintMapping restConstraintMapping = new ConstraintMapping();
restConstraintMapping.setConstraint(restConstraint);
restConstraintMapping.setPathSpec("/api/*");
final ConstraintSecurityHandler restSecurityHandler = new ConstraintSecurityHandler();
final LoginService myLoginService = new MyLoginService();
restSecurityHandler.setAuthenticator(new BasicAuthenticator());
restSecurityHandler.setRealmName(myLoginService.getName());
restSecurityHandler.addConstraintMapping(restConstraintMapping);
restSecurityHandler.setLoginService(myLoginService);
我有角色user的用户joe-user和同时具有user和admin角色的jane-admin.我有一个名为my-resource的REST GET资源,标记为:
I have users joe-user who has the role of user, and jane-admin who has both user and admin roles. I have a REST GET resource named my-resource marked with:
@RolesAllowed("admin")
当我在my-resource上执行HTTP GET时,浏览器正确地请求了凭据,并且我可以以joe-user或jane-admin身份登录.问题是任何一个用户都可以GET my-resource !!
When I do an HTTP GET on my-resource, the browser correctly requests credentials, and I can login as either joe-user or jane-admin. The problem is that either user is allowed to GET my-resource!!
我已经找到了一些Jetty代码,实际上,由于上面的登录服务,Jetty询问登录用户支持哪些角色.不幸的是,无论用户是谁,Jetty都将接受我在restConstraint.setRoles(new String[]{"user", "admin")中指定的任何角色.
I've traced through some of the Jetty code, and indeed, as a result of my login service above, Jetty asks the login user which roles is supported. Unfortunately, Jetty will accept any of the roles I've specified in restConstraint.setRoles(new String[]{"user", "admin"), regardless of the user.
显然,应该是RESTEasy层才能识别@RolesAllowed("admin")批注并验证用户.但是我如何获得RESTEasy的帮助呢?
Apparently it is the RESTEasy layer that is supposed to recognize the @RolesAllowed("admin") annotation and validate the user. But how do I get RESTEasy to do that?
推荐答案
With a little help from the RESTEasy documentation, I found out that in order for RESTEasy to honor the @RolesAllowed annotations, one must turn on the resteasy.role.based.security context parameter switch in the web.xml file; or programatically, as I am doing:
final ServletHolder servletHolder = new ServletHolder(new HttpServlet30Dispatcher());
servletHolder.setInitParameter("javax.ws.rs.Application", MyApplication.class.getName());
servletHolder.setInitParameter("resteasy.role.based.security", String.valueOf(true));
contextHandler.addServlet(servletHolder, "/api/*");
这篇关于RESTEasy支持JAX-RS @RolesAllowed的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
