授权与RolesAllowedDynamicFeature和泽西 [英] Authorization with RolesAllowedDynamicFeature and Jersey
问题描述
我想用JAX-RS过滤器似乎什么工作至今,以验证用户身份。这是我设置一个新的SecurityContext过滤器:
I'm trying to authenticate users with a JAX-RS filter what seems to work so far. This is the filter where I'm setting a new SecurityContext:
@Provider
public class AuthenticationFilter implements ContainerRequestFilter {
@Override
public void filter(final ContainerRequestContext requestContext) throws IOException {
requestContext.setSecurityContext(new SecurityContext() {
@Override
public Principal getUserPrincipal() {
return new Principal() {
@Override
public String getName() {
return "Joe";
}
};
}
@Override
public boolean isUserInRole(String string) {
return false;
}
@Override
public boolean isSecure() {
return requestContext.getSecurityContext().isSecure();
}
@Override
public String getAuthenticationScheme() {
return requestContext.getSecurityContext().getAuthenticationScheme();
}
});
if (!isAuthenticated(requestContext)) {
requestContext.abortWith(
Response.status(Status.UNAUTHORIZED)
.header(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"Example\"")
.entity("Login required.").build());
}
}
private boolean isAuthenticated(final ContainerRequestContext requestContext) {
return requestContext.getHeaderString("authorization") != null; // simplified
}
}
该资源的方法是这样的:
The resource method looks like this:
@GET
// @RolesAllowed("user")
public Viewable get(@Context SecurityContext context) {
System.out.println(context.getUserPrincipal().getName());
System.out.println(context.isUserInRole("user"));
return new Viewable("index");
}
该RolesAllowedDynamicFeature注册这样的:
The RolesAllowedDynamicFeature is registered like this:
.register(RolesAllowedDynamicFeature.class)
我可以看到控制台上的预期产出。但是,如果我取消注释 @RolesAllowed(用户)
,我收到了禁止
错误和我的SecurityContext的的isUserInRole
方法不会被调用。继<一个href=\"https://jersey.java.net/nonav/apidocs/snapshot/jersey/org/glassfish/jersey/server/filter/RolesAllowedDynamicFeature.html\"相对=nofollow> API文档 RolesAllowedDynamicFeature应该调用此方法。
I can see the expected outputs on the console. But if I uncomment @RolesAllowed("user")
, I get a Forbidden
error and the isUserInRole
method of my SecurityContext is never called. Following the API doc RolesAllowedDynamicFeature should call this method.
我如何使用RolesAllowedDynamicFeature?
How can I use RolesAllowedDynamicFeature?
推荐答案
您需要定义身份验证过滤器的优先级,否则 RolesAllowedRequestFilter
在 RolesAllowedDynamicFeature
将在你的 AuthenticationFilter
执行。如果你看一下源$ C $ c时, RolesAllowedRequestFilter
有批注 @priority(Priorities.AUTHORIZATION)
,因此,如果您分配 @priority(Priorities.AUTHENTICATION)
来您的身份验证过滤器会在 RolesAllowedRequestFilter
执行。像这样的:
You need to define a priority for your authentication filter, otherwise the RolesAllowedRequestFilter
in RolesAllowedDynamicFeature
will be executed before your AuthenticationFilter
. If you look at the source code, the RolesAllowedRequestFilter
has the annotation @Priority(Priorities.AUTHORIZATION)
, so if you assign @Priority(Priorities.AUTHENTICATION)
to your authentication filter it will be executed before the RolesAllowedRequestFilter
. Like this:
@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter {
您可能还需要实际注册 AuthenticationFilter
使用寄存器(AuthenticationFilter.class)
,这取决于您是否服务器扫描注释或没有。
You might also need to actually register the AuthenticationFilter
using register(AuthenticationFilter.class)
, depending on if your server scans for annotations or not.
这篇关于授权与RolesAllowedDynamicFeature和泽西的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!