我可以自定义注释到JAX-RS方法来验证访问？ [英] Can I add a custom annotation to JAX-RS method to validate access?

问题描述

例如我有以下方法：

@GET
    @Path("/get/current")
    public Response getCurrentInfo(@HeaderParam("Authorization") String token){

        Gson gson = new GsonBuilder()
        .setDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS")
        .setPrettyPrinting().create();          

        String email = SecurityProvider.decryptTokenAndGetEmail(token);

        if(DB.isAccessPermitted(email)){
            Info info = DB.getCurrentInfo();
            String json = gson.toJson(info);
            return Response.ok(json).build();
        }else{
           return Response.status(401).build();
        }

    }

因此​​，而不是在每一个方法写的：

So instead to write in every method:

          if(DB.isAccessPermitted(email)){
                Info info = DB.getCurrentInfo();
                String json = gson.toJson(info);
                return Response.ok(json).build();
            }else{
               return Response.status(401).build();
            }

我将例如创建 @SecurityCheck 批注，批注每个具有有限的访问方法，只在一个地方进行检查。是有可能实现与注释和可MVCE提供？
谢谢你。

I will create for example @SecurityCheck annotation, annotate every method which has limited access and perform check only in a single place. Is it possible to achieve with annotations and can MVCE be provided? Thank you.

推荐答案

如果您使用的是JAX-RS 2.0，你可以注入的 ResourceInfo中 成 ContainerRequestFilter ，然后从获得 java.lang.reflect.Method中。从方法，你可以得到诠释。例如：

If you are using JAX-RS 2.0, you can inject ResourceInfo into a ContainerRequestFilter, then get the java.lang.reflect.Method from the. From the Method, you can get the annotation. For example

@Provider
@Priority(Priorities.AUTHENTICATION)
public class SecurityFilter implements ContainerRequestFilter {

    @Context
    private ResourceInfo resourceInfo;

    // You can get the header from the `requestContext`
    @Override
    public void filter(ContainerRequestContext requestContext) {
        Method resourceMethod = resourceInfo.getResourceMethod();
        SecurityCheck annotation = resourceMethod.getAnnotation(SecurityCheck.class);
        // get some value from annotation

        if (notAllowedAccess) {
            throw new WebApplicationException(403);
        }
    }
}

这（在 ResourceInfo中）只需要但如果你需要从注释获得一些价值，如 @SecurityCheck（SomeRoleAllowed） 。

This (the ResourceInfo) is only necessary though if you need to get some value from the annotation, like @SecurityCheck("SomeRoleAllowed").

如果你并不需要的价值，你想要的是一个待过滤注解的任何方法，那么你可以创建一个 DynamicFeature ，在那里你每个绑定方法将一个过滤器。例如：

If you don't need the value, and all you want is for any method annotated to be filtered, then you can either create a DynamicFeature, where you bind each method to a filter. For example

@Provider
public class SecurityCheckDynamicFeature implements DynamicFeature {
    @Override
    public void configure(ResourceInfo info, FeatureContext context) {
        Method method = info.getResourceMethod();
        SecurityCheck annotation = method.getAnnotation(SecurityCheck.class);
        if (annotation != null) {
            context.register(SecurityFilter.class);
        }
    }
}

或者另一种方式是只使用 @NameBinding 在自定义注解

@NameBinding
@Target(...)
@Retention
public @interface SecurityCheck {}

然后你需要与注释也注释 SecurityFilter类类。注释任何方法或类会通过过滤器。

Then you need to annotate the SecurityFilter class with the annotation also. Any method or class annotated will go through the filter.

其他资源：

• 过滤器和拦截器

• Filters and Interceptors

这篇关于我可以自定义注释到JAX-RS方法来验证访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！