授权与RolesAllowedDynamicFeature和泽西 [英] Authorization with RolesAllowedDynamicFeature and Jersey

问题描述

我想用JAX-RS过滤器似乎什么工作至今，以验证用户身份。这是我设置一个新的SecurityContext过滤器：

I'm trying to authenticate users with a JAX-RS filter what seems to work so far. This is the filter where I'm setting a new SecurityContext:

@Provider
public class AuthenticationFilter implements ContainerRequestFilter {

  @Override
  public void filter(final ContainerRequestContext requestContext) throws IOException {

    requestContext.setSecurityContext(new SecurityContext() {
      @Override
      public Principal getUserPrincipal() {
        return new Principal() {
          @Override
          public String getName() {
            return "Joe";
          }
        };
      }

      @Override
      public boolean isUserInRole(String string) {
        return false;
      }

      @Override
      public boolean isSecure() {
        return requestContext.getSecurityContext().isSecure();
      }

      @Override
      public String getAuthenticationScheme() {
        return requestContext.getSecurityContext().getAuthenticationScheme();
      }
    });

    if (!isAuthenticated(requestContext)) {
      requestContext.abortWith(
              Response.status(Status.UNAUTHORIZED)
              .header(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"Example\"")
              .entity("Login required.").build());
    }
  }

  private boolean isAuthenticated(final ContainerRequestContext requestContext) {
    return requestContext.getHeaderString("authorization") != null; // simplified
  }
}

该资源的方法是这样的：

The resource method looks like this:

  @GET
  // @RolesAllowed("user")
  public Viewable get(@Context SecurityContext context) {
    System.out.println(context.getUserPrincipal().getName());
    System.out.println(context.isUserInRole("user"));
    return new Viewable("index");
  }

该RolesAllowedDynamicFeature注册这样的：

The RolesAllowedDynamicFeature is registered like this:

.register(RolesAllowedDynamicFeature.class)

我可以看到控制台上的预期产出。但是，如果我取消注释 @RolesAllowed（用户），我收到了禁止错误和我的SecurityContext的的isUserInRole 方法不会被调用。继<一个href=\"https://jersey.java.net/nonav/apidocs/snapshot/jersey/org/glassfish/jersey/server/filter/RolesAllowedDynamicFeature.html\"相对=nofollow> API文档 RolesAllowedDynamicFeature应该调用此方法。

I can see the expected outputs on the console. But if I uncomment @RolesAllowed("user"), I get a Forbidden error and the isUserInRole method of my SecurityContext is never called. Following the API doc RolesAllowedDynamicFeature should call this method.

我如何使用RolesAllowedDynamicFeature？

How can I use RolesAllowedDynamicFeature?

推荐答案

您需要定义身份验证过滤器的优先级，否则 RolesAllowedRequestFilter 在 RolesAllowedDynamicFeature 将在你的 AuthenticationFilter 执行。如果你看一下源$ C ​​$ c时， RolesAllowedRequestFilter 有批注 @priority（Priorities.AUTHORIZATION），因此，如果您分配 @priority（Priorities.AUTHENTICATION）来您的身份验证过滤器会在 RolesAllowedRequestFilter 执行。像这样的：

You need to define a priority for your authentication filter, otherwise the RolesAllowedRequestFilter in RolesAllowedDynamicFeature will be executed before your AuthenticationFilter. If you look at the source code, the RolesAllowedRequestFilter has the annotation @Priority(Priorities.AUTHORIZATION), so if you assign @Priority(Priorities.AUTHENTICATION) to your authentication filter it will be executed before the RolesAllowedRequestFilter. Like this:

@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter {

您可能还需要实际注册 AuthenticationFilter 使用寄存器（AuthenticationFilter.class），这取决于您是否服务器扫描注释或没有。

You might also need to actually register the AuthenticationFilter using register(AuthenticationFilter.class), depending on if your server scans for annotations or not.

这篇关于授权与RolesAllowedDynamicFeature和泽西的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！