将Spring Security 3与jersey rest api结合使用 [英] combining spring security 3 with jersey rest api
问题描述
我有一种情况,我试图将春季安全性与jersey结合使用以实现我的REST API.
I have a scenario where I am trying to combine spring security with jersey for my REST API.
我的需求很复杂(我认为),如下所示:
My need is rather complicated (I think) and it is as follows:
Spring安全性用于拦截URL和强制进行基本身份验证,以便访问REST资源.这似乎可以,因为我正在使用http客户端进行测试.
Spring security is being used to intercept urls and forcing basic authentication in order to access a REST resource. This seems to be ok as I am using http client to test this.
但是,我要做的是以某种方式访问已加载的User对象,以检查一些挂在用户身上的其他权限(带有布尔标志的Map对象,用于指示对象属性是否可见).可以执行加载的代码,但是在spring验证之后,我该如何在实际的REST Resource方法本身中访问User对象?这可能吗?
However what I want to do is somehow access the User object that is loaded to check some additional permissions that hang off the user (a map object with boolean flags to indicate if object properties are visible or not). The code that does the loading works, but after spring authenticates how do I then access the User object in the actual REST Resource method itself?? Is this possible?
步骤如下:
1)客户端进行REST API调用 2)Spring截取URL检查HTTP头中提供的用户名和密码 3)如果存在有效的凭据,则可以访问rest资源方法
1) Client makes a REST API call 2) Spring intercepts URL checks username and password supplied in the http header 3) The rest resource method is then accessed if valid credentials are present
但是在第3步之前,我想以某种方式将已加载的User对象传递给实际的Resource方法本身,以便我可以进一步应用一些逻辑来限制基于我已加载的权限用户可以看到的内容???这可能吗?我想我已经在某些地方看到了一些代码,这些代码可以在使用Spring和REST访问方法之前检查用户角色,但是如果有人有任何链接或想法将非常有用.
But before step 3, I want to somehow pass on the loaded User object to the actual Resource method itself so I can further apply some logic to restrict what the user can see based on the permissions that I have loaded??? Is this possible? I think I have seen some code somewhere that checks for User Roles before a method is accessed using Spring and REST but if anyone has any links or ideas that would be excellent.
如果可以的话,请提供帮助.非常感谢.
Please help if you can. thank you so much.
推荐答案
我通过使用由bean工厂构造的请求范围的代理解决了这个问题.
I solved this by using a request-scoped proxy which was constructed by a bean factory.
这使您可以简单地将当前已通过身份验证的用户注入任何spring托管的bean中,在我的情况下,我的Jersey Resources属于该类.我将用户注入到资源下方的层中,但是都一样.
This allows you to simply inject your currently authenticated user into any spring managed bean, and in my case my Jersey Resources fell into that category. I injected my user into the tier below the resources, but it's all the same.
这篇关于将Spring Security 3与jersey rest api结合使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
