我可以使用@RolesAllowed上的Apache CXF实现REST风格的资源? [英] Can I use @RolesAllowed on RESTful Resources implemented on Apache CXF?
问题描述
结果我的问题是
我可以用@RolesAllowed上CXF实现REST风格的资源?
首先,我解释的背景下造成这个问题。结果
我在一些项目中,开发商必须重新制作一些网络系统的一部分到 REST风格的工作
WEB Apis.This present系统具有通过<建立服务器系统code>春和休眠
。而其作为UI客户端应用程序是由动作
通过开发 Flex框架
。结果
现在我测量的正确方法来设计和改造我们的present系统进入 RESTful API中
通过阅读一些文件,或开发一些prototypes.So,我们暂时决定使用 Apache的CXF ver.2.7.4
为 JAX-RS
实施和 TOMCAT版本7
为Web应用程序容器。结果
结果然后,我挣扎了用户授权的现在的方式。
如你所知,我的意思是字'授权'
作为限制某些用户一些控制机制,根据用户的卷筒状访问功能 ROLE_ADMIN
, ROLL_EMPLOYEE
等on.And我们的团队希望利用 @RolesAllowed
注释来限制用户访问一些REST风格的方法 REST
资源类。结果
通过调查,我知道我们可以使用 @RolesAllowed
注释如果我们使用泽西
为 JAX -RS
imple和Tomcat,因为泽西框架提供搜索
First of all, I explain the context causing this question.
I'm working at some projects in which developers have to remake one part of the some web systems into RESTful
WEB Apis.This present system has server system built by Spring
and Hibernate
. And its client application as UI is developed by ActionScript
through
FLEX framework
.
Now I'm surveying the proper way to design and remake our present system into RESTful APIs
through reading some documents or develop some prototypes.So, we temporarily decided to use Apache-CXF ver.2.7.4
as JAX-RS
implementation and TOMCAT ver.7
as Web applications container.
Then, I am struggling for the way of user authorizations now.
As you know, I mean the word 'Authorization'
as some control mechanism that constrain some users to access functions according to user's roll like ROLE_ADMIN
, ROLL_EMPLOYEE
and so on.And our team wants to use @RolesAllowed
annotation to constrain user to access some RESTful methods in REST
resource classes.
Through surveying, I knew that we can use @RolesAllowed
annotation if we use Jersey
as JAX-RS
imple and TOMCAT, because Jersey framework provides
<一个href=\"https://jersey.java.net/nonav/apidocs/1.1.1-ea/jersey/com/sun/jersey/api/container/filter/RolesAllowedResourceFilterFactory.html\"相对=nofollow>
com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory
结果
为开发者加入web.xml中的下列行激活@RolesAllowed批注
结果
com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory
for developers to activate @RolesAllowed annotation by adding following lines in web.xml
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>
com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory
</param-value>
</init-param>
作为球衣的ServletContainer的初始化参数。
as init-param of jersey's ServletContainer.
但是,我们的团队已经决定的Apache CXF
作为JAX-RS imple.I've已经调查了CXF网站Web文档的安全性和授权的部分。但我无法得到解决或如何使用 @RolesAllowed
上的RESTful资源的方法。
But our team has decided Apache CXF
as JAX-RS imple.I've already surveyed the security and authorization parts of web documents in CXF site. But I couldn’t get solutions or how to use @RolesAllowed
on RESTful resource methods.
所以,如果你知道的Apache CXF
和实施了基于REST的资源需求或如何使用 @RolesAllowed
TOMCAT
,教我说,please.Or如果你可以明确得出结论,我们不能使用 @RolesAllowed
在框架的选择的的Apache CXF
和 TOMCAT
,请教我这个结论的背景知识。
So If you know the requirements or how to use @RolesAllowed
on RESTful resource implemented on Apache CXF
and TOMCAT
, teach me that, please.Or if you can definitively conclude that we can't use @RolesAllowed
in frameworks choice of Apache CXF
and TOMCAT
, please teach me the background knowledge of that conclusion.
此外,我想我可以使用 @RolesAllowed
在REST资源由 CXF
在 JBOSS
为应用服务器,而不是在 TOMCAT
。这是假设是真的吗?我很抱歉,我已经没有作出试验,使用 JBOSS
而不是TOMCAT。
Additionally, I suppose that I can use @RolesAllowed
in REST resource by CXF
on JBOSS
as app server, not on TOMCAT
. Is this assumption true ? I'm sorry that I've not made a trial to use JBOSS
instead of TOMCAT.
最好的问候。
推荐答案
是的,这是可以做到。我会假设你(像我)不想使用Spring Security的解决方案(以处理身份验证和授权),因为有似乎是丰富的资源上如何启用JSR-250注解使用Spring Security的一部分。
Yes, this can be done. I'll assume that you (like me) did not want to use Spring Security as part of the solution (to handle authentication and authorization) since there is seem to be plenty of resources on how to enable the JSR-250 annotations with Spring Security.
我的解决方案开始从CXF提供的原型项目构建了一个简单的JAX-RS项目org.apache.cxf.archetype:CXF-JAXRS服务:2.7.5
(介绍最新写作GAV @时间)。
My solution began with a simple JAX-RS project built from the CXF-supplied Archetype Project org.apache.cxf.archetype:cxf-jaxrs-service:2.7.5
(lastest GAV @ time of writing).
这给你一个基本的的HelloWorld
类支持配置文件。
This gives you a basic HelloWorld
class with supporting config files.
一些修改需要做。
首先,添加以下相关的的pom.xml
:
First, add the following dependencies to the pom.xml
:
<dependency>
<groupId>javax.annotation</groupId>
<artifactId>jsr250-api</artifactId>
<version>1.0</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>provided</scope>
</dependency>
为什么呢?因为Tomcat是不是一个完整的J2EE容器,它不支持所有的JSR-250注解(其中 @RolesAllowed
就是其中之一)。此外,虽然CXF识别和将与 @RolesAllowed
工作,它没有捆绑一实现中,期望它通过任J2EE容器或API的如上述的夹杂物被提供
Why? Because Tomcat is not a full J2EE Container, it does not support all JSR-250 Annotations (of which @RolesAllowed
is one). Further, although CXF recognizes and will work with @RolesAllowed
, it does not bundle an implementation, expecting it to be provided by either a J2EE container or the inclusion of the api as above.
的的servlet-API
上市,因为我需要它@编译时间,我加入 HellowWorld.java
(见下文)。
The servlet-api
is listed because I needed it @ compile time for a method I add to HellowWorld.java
(see below).
二,修改的beans.xml
如下:
<bean class="my.pkg.HelloWorld" id="helloWorldService"/>
<jaxrs:serviceBeans>
<ref bean="helloWorldService"/>
</jaxrs:serviceBeans>
<bean id="authorizationInterceptor"
class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="helloWorldService" />
</bean>
的 SecureAnnotationsInterceptor
是将扫描的HelloWorldService
和实施 @RolesAllowed
注释。
The SecureAnnotationsInterceptor
is what will scan the helloWorldService
and enforce the @RolesAllowed
annotations.
请注意,的HelloWorldService
不得不拔出的&LT; JAXRS:serviceBeans&GT;
节,以便它可以在那里同时参照,并在 authorizationInterceptor
。
Note that the helloWorldService
had to be pulled out of the <jaxrs:serviceBeans>
stanza so it could be referenced both there and in the authorizationInterceptor
.
三,加入一些角色和用户的tomcat-users.xml中
或替代(如JDBC领域,等等。)我这样做:
Third, add some roles and users to tomcat-users.xml
or alternative (eg. JDBC Realm, etc.) I did this:
<role rolename="hello-user" />
<role rolename="hello-role1"/>
<role rolename="hello-role2" />
<user username="hello1" password="Password1" roles="hello-role1,hello-user"/>
<user username="hello2" password="Password1" roles="hello-role2,hello-user"/>
这将创建2用户谁都有一个共同的作用( HELLO-用户
),加上自己独特的作用。
This creates 2 users who each have a shared role (hello-user
) plus their own distinct role.
四,添加以下的web.xml
启用基本
验证:
Fourth, add the following to web.xml
to enable BASIC
authentication:
<security-constraint>
<web-resource-collection>
<web-resource-name>Hello Services</web-resource-name>
<url-pattern>/hello/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>hello-user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
有了这个,我决定要求在 /角色
。这不是必需的,但要注意,我确实有一些问题,去掉了一些节,通配符和角色......所以小心在这里进行试验。 HELLO-用户
的一切你好/ *
With this, I decided to require the role hello-user
for everything under /hello/*
. That's not essential, but beware that I did have some issues omitting some of the stanzas, wildcards and roles... so experiment with care here.
第五(最后),标记的 HelloWorld.java
类:
Fifthly (and finally), mark up the HelloWorld.java
class:
@Path("/hello")
@RolesAllowed("hello-user")
public class HelloWorld {
@GET
@Path("/echo/{input}")
@Produces("text/plain")
@RolesAllowed("hello-role1")
public String ping(@PathParam("input") String input) {
return input;
}
@POST
@Produces("application/json")
@Consumes("application/json")
@Path("/jsonBean")
@RolesAllowed("hello-role2")
public Response modifyJson(JsonBean input) {
input.setVal2(input.getVal1());
return Response.ok().entity(input).build();
}
@GET
@Produces("text/plain")
@Path("/cliche")
public Response getClichedMessage(@Context HttpServletRequest request) {
return Response.
ok().
entity("Sending \"Hello World\" to user \"" + request.getUserPrincipal().getName() + "\"").
build();
}
}
我加了最后一个方法( getClichedMessage()
)表明,因为他们有两个用户可以访问方法 HELLO-用户
角色与该类注解。在 SecureAnnotationsInterceptor
是足够聪明,处理这个问题。
I added the last method (getClichedMessage()
) to show that both users can access the method because they have the hello-user
role with which the class is annotated. The SecureAnnotationsInterceptor
is smart enough to handle that.
这就是全部。在我看来,这是只使用Tomcat的,CXF和BASIC authenitcation的STTCPW。对于CXF + @RolesAllowed
的关键是 SecureAnnotationsInterceptor
。
That's all. Seems to me, this is the STTCPW using just Tomcat, CXF and BASIC authenitcation. The key for the CXF + @RolesAllowed
is the SecureAnnotationsInterceptor
.
更新:我应该承认,转换新泽西REST的例子到Apache CXF 特别有帮助,特别是对指出其连接到 @RolesAllowed
未在其他地方记录的SecureAnnotationsInterceptor。
Update: I should acknowledge that Converting Jersey REST Examples to Apache CXF was particularly helpful, especially for pointing out the SecureAnnotationsInterceptor whose connection to @RolesAllowed
is not well documented elsewhere.
更新2 :泽西-CXF博客条目似乎并不被迁移到 gmazza
的新博客。但是,我用了例子是在github 一>。它包含一个<一href=\"https://github.com/gmazza/jersey-samples-on-cxf/blob/master/https-server-glassfish/src/main/webapp/WEB-INF/beans.xml\"相对=nofollow>与 SecureAnnotationsInterceptor
定义和配置文件中的<一个href=\"https://github.com/gmazza/jersey-samples-on-cxf/blob/master/https-server-glassfish/src/main/java/com/sun/jersey/samples/https_glassfish/resources/HelloWorldResource.java\"相对=nofollow>豆与 @RolesAllowed
注释
Update 2: The Jersey-CXF blog entry doesn't seem be migrated to gmazza
's new blog. However, the example I used is on github. It contains a config file with SecureAnnotationsInterceptor
definition and a bean with @RolesAllowed
annotation
这篇关于我可以使用@RolesAllowed上的Apache CXF实现REST风格的资源?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!