Jersey 2.x安全性上下文不起作用? [英] Jersey 2.x Security context does not work?

问题描述

虽然我尝试创建Java jersey应用程序身份验证角色对我不起作用.

While i am trying to create java jersey application authentication roles does not work for me.

Java代码:-

package org.student.resource;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.ext.Provider;

@Path("/resource")
@PermitAll 
public class Resource {
@GET
public String get(){
    return "GET";
}

@RolesAllowed("admin")
@POST
public String post(){
    return "Post content.";
}

}

部署描述符:-

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
id="WebApp_ID" version="3.1">
<display-name>JerseyAuthentication</display-name>
<servlet>
    <servlet-name>Application</servlet-name>
    <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>Application</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Resource</web-resource-name>
        <url-pattern>/resource/*</url-pattern>
        <http-method>GET</http-method>
    </web-resource-collection>
</security-constraint>
<welcome-file-list>
    <welcome-file>login.html</welcome-file>
</welcome-file-list>
 </web-app>

标题:-

Cache-Control →private
Content-Language →en
Content-Length →1010
Content-Type →text/html;charset=utf-8
Date →Sat, 19 Sep 2015 08:14:18 GMT
Expires →Thu, 01 Jan 1970 05:30:00 IST
Server →Apache-Coyote/1.1

请帮忙.我想知道为资源分配角色.

Kindly some help me to do this.i want to know assign roles to resources.

推荐答案

所以您需要做三件事

在Tomcat中设置安全领域(我假设Server →Apache-Coyote/1.1是服务器).您可以在领域配置操作指南中了解有关创建领域的更多信息.

Set up the security realm in Tomcat (I'm assuming that's the server by Server →Apache-Coyote/1.1). You can read more about creating realms at Realm Configuration HOW-TO.

最容易配置的领域是 UserDatabaseRealm ，但绝不建议将其用于生产.只是为了让您起步并在开发中运行.您需要做的只是转到${TOMCAT_HOME}/conf中的tomcat-users.xml文件.然后只需编辑文件，它应该看起来像

The easiest realm to configure is the UserDatabaseRealm, but this is in no way recommended for production. It's just to get you up and running in development. All you need to do is go to the tomcat-users.xml file in ${TOMCAT_HOME}/conf. Then just edit the file it should look something like

<tomcat-users>
  <user username="Murugesan" password="secret" roles="admin" />
  <user username="peeskillet"  password="superSecret" roles="user"  />
</tomcat-users>

第二..

您仍然需要对web.xml进行一些配置.您需要做几件事

Second..

You still need to configure the web.xml a bit. You need to do a few things

1. 声明允许使用该应用程序的角色.您可以将其放在</security-contraint>

<security-role>
    <role-name>user</role-name>
</security-role>
<security-role>
    <role-name>admin</role-name>
</security-role>

声明允许访问<security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/api/protected/*</url-pattern>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

这里我们说的是，通过Servlet容器安全性控制一直到Jersey应用程序，任何具有声明角色的身份验证的用户(*)都被允许.或者，您可以定义角色而不是*.这将导致Servlet容器处理访问控制.但是，如果您想要更细粒度的控制，只需让所有经过身份验证的用户进入，并像现在一样使用批注来处理Jersey内的访问控制即可.

Here we are saying that any authenticated user (*) with one of the declared roles is allowed through the servlet container security control on through to the Jersey application. Alternatively you can define the roles instead of *. This will cause the servlet container to handle the access control. But if you want more fine grained control, just let all authenticated users in, and handle the access control inside Jersey with the annotations like you are currently doing.

您需要定义<login-config>来声明哪种身份验证.只有三个. FORM，DIGEST，BASIC.在这里，我们将使用BASIC，并声明用户所在的领域.

You need to define the <login-config> to declare what type of authentication. There are only three. FORM, DIGEST, BASIC. Here we will use BASIC, and also declare the realm in which the user are located.

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>UserDatabaseRealm</realm-name>
</login-config>

您可以将其放在</security-role>

最后..

您只需通过注册

Lastly..

You just need to configure Jersey to handle the security annotations by registering the RolesAllowedDynamicFeature. You can do that in the web.xml

<servlet>
    <servlet-name>Application</servlet-name>
    <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
    <init-param>
        <param-name>jersey.config.server.provider.packages</param-name>
        <param-value>org.student.resource</param-value>
    </init-param>
    <init-param>
        <param-name>jersey.config.server.provider.classnames</param-name>
        <param-value>
            org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature
        </param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

另请参见:

• 保护Web应用程序以获取有关配置的更多信息web.xml中的安全性

See Also:

• Securing Web Applications for more information on configuring security in the web.xml

这篇关于Jersey 2.x安全性上下文不起作用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！