我可以使用@RolesAllowed上的Apache CXF实现REST风格的资源? [英] Can I use @RolesAllowed on RESTful Resources implemented on Apache CXF?
问题描述
结果我的问题是
我可以用@RolesAllowed上CXF实现REST风格的资源?
首先,我解释的背景下造成这个问题。结果
我在一些项目中,开发商必须重新制作一些网络系统的一部分到 REST风格的工作 WEB Apis.This present系统具有通过<建立服务器系统code>春和休眠。而其作为UI客户端应用程序是由动作通过开发 Flex框架。结果
现在我测量的正确方法来设计和改造我们的present系统进入 RESTful API中通过阅读一些文件,或开发一些prototypes.So,我们暂时决定使用 Apache的CXF ver.2.7.4 为 JAX-RS 实施和 TOMCAT版本7 为Web应用程序容器。结果
结果然后,我挣扎了用户授权的现在的方式。
如你所知,我的意思是字'授权'作为限制某些用户一些控制机制,根据用户的卷筒状访问功能 ROLE_ADMIN , ROLL_EMPLOYEE 等on.And我们的团队希望利用 @RolesAllowed 注释来限制用户访问一些REST风格的方法 REST 资源类。结果
通过调查,我知道我们可以使用 @RolesAllowed 注释如果我们使用泽西为 JAX -RS imple和Tomcat,因为泽西框架提供搜索
First of all, I explain the context causing this question.
I'm working at some projects in which developers have to remake one part of the some web systems into RESTful WEB Apis.This present system has server system built by Spring and Hibernate. And its client application as UI is developed by ActionScript through
FLEX framework.
Now I'm surveying the proper way to design and remake our present system into RESTful APIs through reading some documents or develop some prototypes.So, we temporarily decided to use Apache-CXF ver.2.7.4 as JAX-RS implementation and TOMCAT ver.7 as Web applications container.
Then, I am struggling for the way of user authorizations now.
As you know, I mean the word 'Authorization' as some control mechanism that constrain some users to access functions according to user's roll like ROLE_ADMIN, ROLL_EMPLOYEE and so on.And our team wants to use @RolesAllowed annotation to constrain user to access some RESTful methods in REST resource classes.
Through surveying, I knew that we can use @RolesAllowed annotation if we use Jersey as JAX-RS imple and TOMCAT, because Jersey framework provides
<一个href=\"https://jersey.java.net/nonav/apidocs/1.1.1-ea/jersey/com/sun/jersey/api/container/filter/RolesAllowedResourceFilterFactory.html\"相对=nofollow>
com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory
结果
为开发者加入web.xml中的下列行激活@RolesAllowed批注
结果
com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory
for developers to activate @RolesAllowed annotation by adding following lines in web.xml
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>
com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory
</param-value>
</init-param>
作为球衣的ServletContainer的初始化参数。
as init-param of jersey's ServletContainer.
但是,我们的团队已经决定的Apache CXF 作为JAX-RS imple.I've已经调查了CXF网站Web文档的安全性和授权的部分。但我无法得到解决或如何使用 @RolesAllowed 上的RESTful资源的方法。
But our team has decided Apache CXF as JAX-RS imple.I've already surveyed the security and authorization parts of web documents in CXF site. But I couldn’t get solutions or how to use @RolesAllowed on RESTful resource methods.
所以,如果你知道的Apache CXF 和实施了基于REST的资源需求或如何使用 @RolesAllowed TOMCAT ,教我说,please.Or如果你可以明确得出结论,我们不能使用 @RolesAllowed 在框架的选择的的Apache CXF 和 TOMCAT ,请教我这个结论的背景知识。
So If you know the requirements or how to use @RolesAllowed on RESTful resource implemented on Apache CXF and TOMCAT, teach me that, please.Or if you can definitively conclude that we can't use @RolesAllowed in frameworks choice of Apache CXF and TOMCAT, please teach me the background knowledge of that conclusion.
此外,我想我可以使用 @RolesAllowed 在REST资源由 CXF 在 JBOSS 为应用服务器,而不是在 TOMCAT 。这是假设是真的吗?我很抱歉,我已经没有作出试验,使用 JBOSS 而不是TOMCAT。
Additionally, I suppose that I can use @RolesAllowed in REST resource by CXF on JBOSS as app server, not on TOMCAT. Is this assumption true ? I'm sorry that I've not made a trial to use JBOSS instead of TOMCAT.
最好的问候。
推荐答案
是的,这是可以做到。我会假设你(像我)不想使用Spring Security的解决方案(以处理身份验证和授权),因为有似乎是丰富的资源上如何启用JSR-250注解使用Spring Security的一部分。
Yes, this can be done. I'll assume that you (like me) did not want to use Spring Security as part of the solution (to handle authentication and authorization) since there is seem to be plenty of resources on how to enable the JSR-250 annotations with Spring Security.
我的解决方案开始从CXF提供的原型项目构建了一个简单的JAX-RS项目org.apache.cxf.archetype:CXF-JAXRS服务:2.7.5 (介绍最新写作GAV @时间)。
My solution began with a simple JAX-RS project built from the CXF-supplied Archetype Project org.apache.cxf.archetype:cxf-jaxrs-service:2.7.5 (lastest GAV @ time of writing).
这给你一个基本的的HelloWorld 类支持配置文件。
This gives you a basic HelloWorld class with supporting config files.
一些修改需要做。
首先,添加以下相关的的pom.xml :
First, add the following dependencies to the pom.xml:
<dependency>
<groupId>javax.annotation</groupId>
<artifactId>jsr250-api</artifactId>
<version>1.0</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>provided</scope>
</dependency>
为什么呢?因为Tomcat是不是一个完整的J2EE容器,它不支持所有的JSR-250注解(其中 @RolesAllowed 就是其中之一)。此外,虽然CXF识别和将与 @RolesAllowed 工作,它没有捆绑一实现中,期望它通过任J2EE容器或API的如上述的夹杂物被提供
Why? Because Tomcat is not a full J2EE Container, it does not support all JSR-250 Annotations (of which @RolesAllowed is one). Further, although CXF recognizes and will work with @RolesAllowed, it does not bundle an implementation, expecting it to be provided by either a J2EE container or the inclusion of the api as above.
的的servlet-API 上市,因为我需要它@编译时间,我加入 HellowWorld.java (见下文)。
The servlet-api is listed because I needed it @ compile time for a method I add to HellowWorld.java (see below).
二,修改的beans.xml 如下:
<bean class="my.pkg.HelloWorld" id="helloWorldService"/>
<jaxrs:serviceBeans>
<ref bean="helloWorldService"/>
</jaxrs:serviceBeans>
<bean id="authorizationInterceptor"
class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="helloWorldService" />
</bean>
的 SecureAnnotationsInterceptor 是将扫描的HelloWorldService 和实施 @RolesAllowed 注释。
The SecureAnnotationsInterceptor is what will scan the helloWorldService and enforce the @RolesAllowed annotations.
请注意,的HelloWorldService 不得不拔出的&LT; JAXRS:serviceBeans&GT; 节,以便它可以在那里同时参照,并在 authorizationInterceptor 。
Note that the helloWorldService had to be pulled out of the <jaxrs:serviceBeans> stanza so it could be referenced both there and in the authorizationInterceptor.
三,加入一些角色和用户的tomcat-users.xml中或替代(如JDBC领域,等等。)我这样做:
Third, add some roles and users to tomcat-users.xml or alternative (eg. JDBC Realm, etc.) I did this:
<role rolename="hello-user" />
<role rolename="hello-role1"/>
<role rolename="hello-role2" />
<user username="hello1" password="Password1" roles="hello-role1,hello-user"/>
<user username="hello2" password="Password1" roles="hello-role2,hello-user"/>
这将创建2用户谁都有一个共同的作用( HELLO-用户),加上自己独特的作用。
This creates 2 users who each have a shared role (hello-user) plus their own distinct role.
四,添加以下的web.xml 启用基本验证:
Fourth, add the following to web.xml to enable BASIC authentication:
<security-constraint>
<web-resource-collection>
<web-resource-name>Hello Services</web-resource-name>
<url-pattern>/hello/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>hello-user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
有了这个,我决定要求在 /角色。这不是必需的,但要注意,我确实有一些问题,去掉了一些节,通配符和角色......所以小心在这里进行试验。 HELLO-用户的一切你好/ *
With this, I decided to require the role hello-user for everything under /hello/*. That's not essential, but beware that I did have some issues omitting some of the stanzas, wildcards and roles... so experiment with care here.
第五(最后),标记的 HelloWorld.java 类:
Fifthly (and finally), mark up the HelloWorld.java class:
@Path("/hello")
@RolesAllowed("hello-user")
public class HelloWorld {
@GET
@Path("/echo/{input}")
@Produces("text/plain")
@RolesAllowed("hello-role1")
public String ping(@PathParam("input") String input) {
return input;
}
@POST
@Produces("application/json")
@Consumes("application/json")
@Path("/jsonBean")
@RolesAllowed("hello-role2")
public Response modifyJson(JsonBean input) {
input.setVal2(input.getVal1());
return Response.ok().entity(input).build();
}
@GET
@Produces("text/plain")
@Path("/cliche")
public Response getClichedMessage(@Context HttpServletRequest request) {
return Response.
ok().
entity("Sending \"Hello World\" to user \"" + request.getUserPrincipal().getName() + "\"").
build();
}
}
我加了最后一个方法( getClichedMessage())表明,因为他们有两个用户可以访问方法 HELLO-用户角色与该类注解。在 SecureAnnotationsInterceptor 是足够聪明,处理这个问题。
I added the last method (getClichedMessage()) to show that both users can access the method because they have the hello-user role with which the class is annotated. The SecureAnnotationsInterceptor is smart enough to handle that.
这就是全部。在我看来,这是只使用Tomcat的,CXF和BASIC authenitcation的STTCPW。对于CXF + @RolesAllowed 的关键是 SecureAnnotationsInterceptor 。
That's all. Seems to me, this is the STTCPW using just Tomcat, CXF and BASIC authenitcation. The key for the CXF + @RolesAllowed is the SecureAnnotationsInterceptor.
更新:我应该承认,转换新泽西REST的例子到Apache CXF 特别有帮助,特别是对指出其连接到 @RolesAllowed 未在其他地方记录的SecureAnnotationsInterceptor。
Update: I should acknowledge that Converting Jersey REST Examples to Apache CXF was particularly helpful, especially for pointing out the SecureAnnotationsInterceptor whose connection to @RolesAllowed is not well documented elsewhere.
更新2 :泽西-CXF博客条目似乎并不被迁移到 gmazza 的新博客。但是,我用了例子是在github 。它包含一个<一href=\"https://github.com/gmazza/jersey-samples-on-cxf/blob/master/https-server-glassfish/src/main/webapp/WEB-INF/beans.xml\"相对=nofollow>与 SecureAnnotationsInterceptor 定义和配置文件中的<一个href=\"https://github.com/gmazza/jersey-samples-on-cxf/blob/master/https-server-glassfish/src/main/java/com/sun/jersey/samples/https_glassfish/resources/HelloWorldResource.java\"相对=nofollow>豆与 @RolesAllowed 注释
Update 2: The Jersey-CXF blog entry doesn't seem be migrated to gmazza's new blog. However, the example I used is on github. It contains a config file with SecureAnnotationsInterceptor definition and a bean with @RolesAllowed annotation
这篇关于我可以使用@RolesAllowed上的Apache CXF实现REST风格的资源?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
