Dropwizard customAuthorizationFilter 与 DynamicFeature [英] Dropwizard customAuthorizationFilter with DynamicFeature

问题描述

我已按照以下链接中 pandadb 的回答中给出的所有步骤进行操作如何使用自定义 Dropwizard 过滤器选择性地保护资源

I have followed all the steps given in Answer by pandadb in below link How to Optionally Protect a Resource with Custom Dropwizard Filter

我将自定义注释添加到资源方法中，但未调用自定义授权过滤器.

I added my custom annotaion to the resource method but the custom authorisation filter is not being called.

谁能告诉我我可能错过了什么.

can anyone tell me what i might have missed.

更新:- 我使用 java8 使用 dropwizard 1.0 并使用 maven 构建应用程序.

Update:- I am using dropwizard 1.0 using java8 and building the app using maven.

推荐答案

首先检查 这个 Dropwizard 功能示例 和 Dropwizard 授权.然后请提供更多详细信息，您已完成的操作以及您使用的 Dropwizard 版本.

First of all check this Dropwizard Feature example and Dropwizard Authorization. Then please provide more details, what you have done already and what Dropwizard Version you are using.

毕竟我必须猜测，你已经做了什么......

After all I have to guess, what you have done already...

您已创建自定义授权方?

You have create your custom authorizer?

public class YourCustomAuthorizer implements Authorizer<User> {
    @Override
    public boolean authorize(User user, String role) {
        return user.getName().equals("good-guy") && role.equals("ADMIN");
    }
}

您对资源进行了注释吗?

You have annotated your resource?

@RolesAllowed("ADMIN")
@GET
public SecretPlan getSecretPlan() {
    return dao.findPlanForUser(user);
}

您在应用程序运行方法中注册了身份验证和授权类?

You registered the authentication and authorization classes in your application run method?

@Override
public void run(ExampleConfiguration configuration,
                Environment environment) {
    environment.jersey().register(new AuthDynamicFeature(
            new BasicCredentialAuthFilter.Builder<User>()
                .setAuthenticator(new YourCustomAuthenticator())
                .setAuthorizer(new YourCustomAuthorizer())
                .setRealm("SUPER SECRET STUFF")
                .buildAuthFilter()));
    environment.jersey().register(RolesAllowedDynamicFeature.class);
    //If you want to use @Auth to inject a custom Principal type into your resource
    environment.jersey().register(new AuthValueFactoryProvider.Binder<>(User.class));
}

如果您已经这样做了，它应该可以工作，如果您的身份验证之前已经完成并且没问题.如果你想在没有认证/授权的情况下授权所有的GETS，并且只为经过身份验证的用户授权POST，你可以这样做:

If you have done this, it should work, if your authentication is done before and is ok. If you want to authorize all GETS without authentication/autorization and authorize only POSTs for authenticated users, you can do this:

// do not add any annotations here and all users without authentication can do this GET @RolesAllowed("ADMIN")
// do not use '@Auth User user' in method params and do not annotate this method with '@Auth' if you want non authenticated users to do the GET
@GET
public SecretPlan getSecretPlan() {
    return dao.findPlanForUser(user);
}

//here just authorized useras can do HTTP POSTs
@RolesAllowed("ADMIN")
@GET
public SecretPlan postSecretPlan() {
    return dao.findPlanForUser(user);
}

我过去遇到的另一个问题是，我使用 ANT 和 IVY 而不是使用 Maven 构建我的应用程序.如果操作不当，这可能会导致多个问题.

Another problem I had in past, was that I build my application with ANT and IVY and not with Maven. This can cause several problems, if doing it wrong.

如果您的问题没有解决，请提供比它不起作用，请帮助"更多的信息.*

If your problem is not solved, please provide more informations than "It does not work, please help".*

这篇关于Dropwizard customAuthorizationFilter 与 DynamicFeature的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！