如何保护可选使用自定义过滤器Dropwizard资源 [英] How to Optionally Protect a Resource with Custom Dropwizard Filter
问题描述
我使用Dropwizard 0.9.2,我想创建一个不需要身份验证的GET和需要基本身份验证POST的资源。
I'm using Dropwizard 0.9.2 and I want to create a resource that requires no authentication for GET and requires basic authentication for POST.
我曾尝试
@Path("/protectedPing")
@Produces(MediaType.TEXT_PLAIN)
public class ProtectedPing {
@GET
public String everybody() {
return "pingpong";
}
@PermitAll
@POST
public String authenticated(){
return "secret pingpong";
}
与
CachingAuthenticator<BasicCredentials, User> ca = new CachingAuthenticator<>(environment.metrics(), ldapAuthenticator, cbSpec);
AdminAuthorizer authorizer = new AdminAuthorizer();
BasicCredentialAuthFilter<User> bcaf = new BasicCredentialAuthFilter.Builder<User>().setAuthenticator(ca).setRealm("test-oauth").setAuthorizer(authorizer).buildAuthFilter();
environment.jersey().register(bcaf);
environment.jersey().register(RolesAllowedDynamicFeature.class);
environment.jersey().register(new AuthValueFactoryProvider.Binder<>(User.class));
environment.jersey().register(new ProtectedPing());
这似乎导致需要基本身份验证的所有请求/ protectedPing。
This seems to result in all requests to "/protectedPing" requiring basic auth.
在Dropwizard 0.9.2的文件说,如果我有一个任选保护的资源来创建自定义过滤器。我假设我需要做的,但我不知道从哪里开始,或者说我什么,我真正需要做的。
In Dropwizard 0.9.2 the documentation says to create a custom filter if I have a resource that is optionally protected. I'm assuming I need to do that, but I don't know where to start, or if that I what I actually need to do.
推荐答案
这是不是一个问题dropwizard更多球衣的问题。你可以在这里看看: https://jersey.java.net/文档/最新/过滤器和 - interceptors.html
this is more of a jersey problem than a dropwizard problem. You can have a look here: https://jersey.java.net/documentation/latest/filters-and-interceptors.html
基本上你想要的是:
-
创建一个注释,表明要测试认证(如@AuthenticatePost)
Create an annotation that indicates that you want to test for authentication (e.g. @AuthenticatePost)
创建资源和注释与@AuthenticatePost正确的方法
Create the resource and annotate the correct method with @AuthenticatePost
创建您的身份验证筛选器(可能有点像你在上面做了什么)。
Create your authentication filter (probably kind of like what you did above).
在动态特征,用于测试的注解是在资源传递present。这将举行如此后,假的GET。然后直接在资源的方法,而不是全球性的资源注册AuthenticationFilter。
In the dynamic feature, test for the annotation to be present on the passed in resource. This will hold true for post, false for get. Then register the AuthenticationFilter directly on the resource method instead of globally on the resource.
这将是我将如何解决这个问题的半完成例如:
This would be a semi-complete example of how I would solve this:
public class MyDynamicFeature implements DynamicFeature {
@Override
public void configure(ResourceInfo resourceInfo, FeatureContext context) {
if(resourceInfo.getResourceMethod().getAnnotation(AuthenticateMe.class) != null ) {
context.register(MyAuthFilter.class);
}
}
public class MyAuthFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// do authentication here
}
}
public @interface AuthenticateMe {
}
@Path("myPath")
public class MyResource {
@GET
public String get() {
return "get-method";
}
@POST
@AuthenticateMe
public String post() {
return "post-method";
}
}
}
请注意,该DynamicFeature会检查身份验证注解为present,与功能方面的注册认证前。
Note, the DynamicFeature checks that the Authenticate Annotation is present, before registering the authentication with the feature context.
我希望帮助,
让我知道如果你有任何问题。
let me know if you have any questions.
这篇关于如何保护可选使用自定义过滤器Dropwizard资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
