如何使用我的认证过滤器的WebSocket为的Cometd部署在码头? [英] How to use my authentication filter with Websocket for Cometd deployed in Jetty?
问题描述
我使用的Cometd 3.0.1与9.2.3码头使用JSR 356基于WebSocket的实现(而不是码头自己的WebSocket实现)。
I am using Cometd 3.0.1 with jetty 9.2.3 using JSR 356 based websocket implementation (and not jetty's own websocket implementation).
我增加了一些权威性的过滤器,基本上是从申请要求认证头。但作为升级的WebSocket发生,因为websocketupgrade过滤器的一部分,是有办法在这里做认证工作的?
I have added some auth filters which basically ask for authentication headers from request. But as websocket upgrade happen as a part of websocketupgrade filter, is there a way to make authentication work here?
推荐答案
通过筛选鉴定是错误的方式来完成认证。
Authenticating via a Filter is the wrong way to accomplish authentication.
正确的解决方法:
Servlet规范期望你的设置和使用容器都和应用程序元数据( WEB-INF / web.xml文件$的servlet的技术配置应用程序的认证和授权层C $ C>)
The servlet spec expects you to setup and configure the the authentication and authorization layers of your application using the servlet techniques of both the container and the application metadata (WEB-INF/web.xml
)
这意味着你设置一个容器端的安全,无论是采用集装箱码头具体 login服务
,或使用JAAS规格配置。然后你引用您的安全领域中的 WEB-INF / web.xml文件
并使用它们。如果您有什么习惯,那么你可以挂接到 login服务
您选择(甚至是自定义的),并相应地管理它。
This means you setup a the container side security, either using the Jetty container specific LoginService
, or using a JAAS spec configuration. Then you reference your security realms in your WEB-INF/web.xml
and use them. If you have something custom, then you can hook into the LoginService
of your choice (even a custom one) and manage it accordingly.
JAAS和login服务认证和授权的所有过滤器和servlet之前应用。
JAAS and LoginService Authentication and Authorization is applied before all filters and servlets.
在这种情况下,你必须在<一个访问在升级过程中的认证信息,特别是href=\"http://docs.oracle.com/javaee/7/api/javax/websocket/server/ServerEndpointConfig.Configurator.html#modifyHandshake(javax.websocket.server.ServerEndpointConfig,%20javax.websocket.server.HandshakeRequest,%20javax.websocket.HandshakeResponse)\"相对=nofollow> ServerEndpointConfig.Configurator.modifyHandshake()
In this scenario, you'll have access to the authentication information during the upgrade process, in particular during the ServerEndpointConfig.Configurator.modifyHandshake()
丑陋的黑客解决方案:
添加 org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter
你的 WEB-INF / web.xml文件
手动
这则留给了你试图让你的身份验证过滤器中使用100%情况下在此之前 WebSocketUpgradeFilter
存在。
This then leaves it up to you to attempt to get your authentication filter to exist before this WebSocketUpgradeFilter
in 100% of use cases.
注意:过滤器执行顺序为不可以 Servlet规范的一部分。小心这一点,因为它似乎是工作的dev的机器,然后突然没有QA或生产工作。很简单,因为过滤器在元数据中的设置将有它不同的顺序。
Caution: filter execution ordering is not part of the servlet spec. Be careful with this, as it might seem to be working on your dev machine and then suddenly not work in QA or production. Simply because the Set of filters in the metadata will have a different order in it.
注:
- 路径规格必须
/ *
- 异步支持必须
真正
- 调度类型必须为
请求
仅 - 不要设置的
contextAttributeKey
该过滤器 - 所有其他WebSocketUpgradeFilter的init-PARAMS是无效的JSR-356使用(他们是由不同的JSR-356端点配置覆盖)
- Path Spec must be
/*
- Async Supported must be
true
- Dispatcher Types must be
REQUEST
only. - Do not set the
contextAttributeKey
for that filter - All other WebSocketUpgradeFilter init-params are invalid for JSR-356 use (they are overridden by the various JSR-356 endpoint configurations)
这篇关于如何使用我的认证过滤器的WebSocket为的Cometd部署在码头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!