EJB jax-rs资源上的Jersey自定义SecurityContext [英] Jersey custom SecurityContext on EJB jax-rs resource

问题描述

我正在尝试实现自己的 ContainerRequestFilter 并配置 SecurityContext 。它在jax-rs资源上运行良好，但EJB jax-rs抛出 javax.ejb.AccessLocalException

I am trying to implement my own ContainerRequestFilter and configure SecurityContext. It works well on jax-rs resources but EJB jax-rs throws javax.ejb.AccessLocalException

只有相关的东西我发现是4岁了，解决方法看起来并不漂亮。
https://java.net/projects / jersey / lists / users / archive / 2010-05 / message / 265

Only relevant thing I found is 4 years old and the workaround doesn't seem pretty. https://java.net/projects/jersey/lists/users/archive/2010-05/message/265

我的自定义SecurityContext：

@Provider
@PreMatching
public class SecurityFilter implements ContainerRequestFilter {

    @Override
    public void filter(ContainerRequestContext filterContext) throws IOException {
        filterContext.setSecurityContext(new Authorizer());
    }

    public class Authorizer implements SecurityContext {

    public Principal getUserPrincipal() {
        return null;
    }

    public boolean isUserInRole(String role) {
        return true;
    }

    public boolean isSecure() {
        return false;
    }

    public String getAuthenticationScheme() {
        return null;
    }
}

经过测试的资源（有效没有@Stateless）

Tested resource (works without @Stateless)

@Path("test")
@Stateless
public class TestSecureResource {

    @GET
    @RolesAllowed("admin")
    @Path("admin")
    public Response secureTest() {
        return Response.status(200).entity("admin").build();
    }

}

有人知道怎么做这个工作？

Does someone know how to make this work?

推荐答案

您可以使用JAX-RS SecurityContext 作为API不是SPI。应用程序开发人员提供 SecurityContext 实现的情况并不常见。如果你这样做，你必须知道它只有本地JAX-RS有效性，因为它是一个特定于JAX-RS的API。 Servlet / Web容器和EJB容器都不能使用它。他们没有必要，因为Java SE和EE具有更一般的安全支持。

You can use JAX-RS SecurityContext as an API not SPI. It is uncommon for an application developer to provide a SecurityContext implementation. If you do you have to know that it has only "local JAX-RS validity" since it is a JAX-RS specific API. Neither Servlet/Web container nor EJB container work with it. They don't have to as Java SE and EE have more general security support.

如果您希望您的安全检查在Java EE应用程序中工作（即 HttpServletRequest.isUserInRole（...）， EJBContext.isCallerInRole（...）或 javax.annotation .security EJB上的注释）您需要使用Java EE功能保护Servlet层。这意味着在 web.xml 中使用例如< security-constraint> 。您可以使用 * 作为< role-name> 意味着所有经过身份验证的用户可以调用REST API：

If you want your security checks to works in a Java EE application (i.e. HttpServletRequest.isUserInRole(...), EJBContext.isCallerInRole(...) or javax.annotation.security annotations on EJBs) you need to secure your Servlet layer using Java EE features. This means to use for example <security-constraint> in web.xml. You can use * as <role-name> meaning "all authenticated" user can call the REST API:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/rest/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>adminRole</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <url-pattern>/rest/orders/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name> <!-- all authenticated users -->
    </auth-constraint>
</security-constraint>

如上所示，当您的Java EE应用程序受到保护时，我们可以启用 javax。 JAX-RS中的annotation.security 注释使用名为 RolesAllowedDynamicFeature 。

When your Java EE application is secured as shown above we can enable javax.annotation.security annotations in JAX-RS using the Jersey-specific feature called RolesAllowedDynamicFeature.

注册功能：

@ApplicationPath("/rest")
public class MyApplication extends ResourceConfig {
    public MyApplication() {
        super(AdminResource.class);
        register(RolesAllowedDynamicFeature.class);
    }
}

保护您的资源：

@Path("/admin")
@RolesAllowed("adminRole")
public class AdminResource {
    @GET
    public String get() { return "GET"; }
    ...
}

参见 泽西用户指南，了解有关保护JAX-RS应用程序的更多详细信息。

See Jersey User guide for more details about securing JAX-RS applications.

所以你很接近。您不需要自己实现 SecurityContext 。如果处理安全的EJB，则不得实现它。最后，您需要将JAX-RS层保护为常见的Web / Servlet应用程序。我相信你已经保护了你的网页/ HTML页面。

So you were close. You don't need to implement a SecurityContext yourself. You must not implement it if you deal with secured EJBs. And finally you need to secure your JAX-RS layer as common Web/Servlet application. I'm sure you already have secured your Web/HTML pages.

这篇关于EJB jax-rs资源上的Jersey自定义SecurityContext的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！