使用拦截器和注入在JAX-RS中进行身份验证/授权 [英] Authentication/authorization in JAX-RS using interceptors and injection

查看:248
本文介绍了使用拦截器和注入在JAX-RS中进行身份验证/授权的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用WildFly 8在JavaEE 7中开发一个新应用程序。我正在使用JAX-RS为远程应用程序提供RESTful服务接口。

I am developing a new application in JavaEE 7 using WildFly 8. I am using JAX-RS to provide a RESTful service interface for remote applications.

类似于 HttpHeaders 可以使用 @Context 注释在资源方法参数中注入对象。由于该对象基于请求参数(当然,HTTP标头),我想出了创建我自己的可注入用户对象的想法,该对象是基于存在而创建的请求中的有效令牌(类似于OAuth访问令牌)。

Something like an HttpHeaders object can be injected in a resource method arguments using the @Context annotation. Since the object is based on request parameters (of course, the HTTP headers), I came up with the idea of creating my own injectable User object which is created based on the presence of a valid token in the request (something like an OAuth access token).

所以,我希望实现这样的目标:

So, I want to achieve something like this:

@Path("/resources")
public class MyResource {

    @Path("/{id}")
    @GET
    public Response getById(@Context User user, @PathParam("id") long id) {
        ...
    }

}

其中User是基于请求参数创建的可注入对象,例如可通过<$ c访问的对象$ c> HttpHeaders 对象。当然,如果因任何原因无法创建User对象,提供程序也可以抛出异常并返回HTTP错误响应。

Where User is an injectable object created based on request parameters, such as ones accessible through an HttpHeaders object. Of course, the provider can also throw an exception and return an HTTP error response if the User object cannot be created for any reason.

现在,我的问题是:


  1. 这是一个好的设计吗?如果没有,我有哪些更好的选择?

  2. 我怎样才能做到这一点?我不在乎我的解决方案是否特定于JAX-RS并使用WildFly / RestEasy特定的内部结构,但如果存在便携式解决方案,我肯定更喜欢它。

谢谢

推荐答案

在我看来,这种方法只要你不试图建立就有效类似于使用此用户对象的会话。

In my eyes this approach is valid as long as you don't try to build something like a session with this User Object.

作为在这里回答你可以使用 @ Context @ Provider ,但这并不是你想要的。
使用 @Context 注入一个类-objects-that-c​​ontext-injectable /rel =nofollow noreferrer> Resteasy Dispatcher
但是在这里你必须注册应该注入的Object。我不认为这对请求范围的参数有意义。
您可以做的是注入这样的提供者:

As answered here you could use @Context and @Provider but that's not exactly what you want. Directly injecting a Class per @Context is possible with the Resteasy Dispatcher. But here you must register the Object which should be injected. I don't think that makes sense for request-scoped parameters. What you could do is inject a provider like this:

// Constructor of your JAX-RS Application
public RestApplication(@Context Dispatcher dispatcher) {
    dispatcher.getDefaultContextObjects().put(UserProvider.class, new UserProvider());
}

// a resource
public Response getById(@Context UserProvider userProvider) {
    User user = userProvider.get();
}

解决问题的其他方法:


  1. 注册 WebFilter ,对用户进行身份验证,包装ServletRequest并覆盖 getUserPrincipal 。然后,您可以从注入的HttpServletRequest访问UserPrincipal。

  2. 实现实现 ContainerRequestFilter 。使用 ContainerRequestContext.html#setSecurityContext ,并将SecurityContext注入ResourceMethod-Parameter。

  3. 实现 CDI-Interceptor 更新您的方法参数。

  4. 实现一个类生成您的用户并通过CDI注入。

  1. Register a WebFilter, authenticate the user, wrap the ServletRequest and override getUserPrincipal. You can then access the UserPrincipal from a injected HttpServletRequest.
  2. Implement a JAX-RS Interceptor which implements ContainerRequestFilter. Use ContainerRequestContext.html#setSecurityContext with a UserPrincipal and inject the SecurityContext as ResourceMethod-Parameter.
  3. Implement a CDI-Interceptor which updates your Method-Parameters.
  4. Implement a class which produces your user and inject it via CDI.

我将示例推送到 github

这篇关于使用拦截器和注入在JAX-RS中进行身份验证/授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆