[英]SecurityContext doesn't work with @RolesAllowed
I'm currently creating a backend server using Jersey 2.5.1 in a Tomcat 7. For the security I'm using the @RolesAllowed
, @PermitAll
etc. annotations, and I have created my custom ContainerRequestFilter
and SecurityContext
. 我目前正在Tomcat 7中使用Jersey 2.5.1创建一个后端服务器。为了安全性,我使用了
@RolesAllowed
, @PermitAll
等注释,我创建了自定义的ContainerRequestFilter
和SecurityContext
。
My problem is that when my @RolesAllowed
annotated resource is requested it always denies permission, even if I force my isUserInRole(role)
method to return true
. 我的问题是,当我的
@RolesAllowed
注释的资源被请求时,它总是拒绝权限,即使我强制我的isUserInRole(role)
方法返回true
。 However, my filter
method gets called. 但是,我的
filter
方法被调用。 Do you have any suggestions? 你有什么建议吗? I'll paste some relevant code below.
我将在下面粘贴一些相关代码。
My ContainerRequestFilter
implementation: 我的
ContainerRequestFilter
实现:
public class AuthorizationFilter implements ContainerRequestFilter
{
@Override
public void filter(ContainerRequestContext request) throws IOException
{
request.setSecurityContext(new Authorizer());
}
}
My SecurityContext
implementation: 我的
SecurityContext
实现:
public class Authorizer implements SecurityContext
{
@Override
public String getAuthenticationScheme() {
return null;
}
@Override
public Principal getUserPrincipal() {
return null;
}
@Override
public boolean isSecure() {
return false;
}
@Override
public boolean isUserInRole(String role) {
return true;
}
}
My resource: 我的资源:
@Path("/secure")
public class TestSecureResource {
@GET
@PermitAll
@Path("/nonsec_test/{text}")
public Response nonSecureTest(
@PathParam("text") String text){
return Response.status(200).entity(text).build();
}
@GET
@RolesAllowed("admin")
@Path("/sec_test/{text}")
public Response secureTest(
@PathParam("text") String text){
return Response.status(200).entity(text).build();
}
}
My ResourceConfig
: 我的
ResourceConfig
:
@ApplicationPath("/")
public class MyApplication extends ResourceConfig {
public MyApplication() {
super(TestSecureResource.class);
register(RolesAllowedDynamicFeature.class);
register(AuthorizationFilter.class);
}
}
Relevant parts of my web.xml
: 我的
web.xml
相关部分:
<servlet-name>Jersey Web Application</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>pkg.backend</param-value>
</init-param>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>pkg.backend.MyApplication</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
In this specific case, my access to secureTest
is always denied. 在这种特定情况下,我始终拒绝访问
secureTest
。 To clarify things; 澄清事情; I'm getting HTTP status code 403 - Forbidden.
我收到HTTP状态码403 - 禁止。
Thank you guys in advance 提前谢谢你们
Make sure you have your AuthorizationFilter
either registered in your MyApplication
(see Registering Resources and Providers in Jersey 2 ) or annotated with @Provider (to make it discoverable by package scanning). 确保在
MyApplication
注册了AuthorizationFilter
(请参阅在Jersey 2中注册资源和提供程序 )或使用@Provider注释(以使程序包扫描可以发现它)。
In order to use security annotations (package javax.annotation.security
) to restrict access to your resources you need to register RolesAllowedDynamicFeature . 为了使用安全注释(包
javax.annotation.security
)来限制对资源的访问,您需要注册RolesAllowedDynamicFeature 。
Your AuthorizationFilter
has to be also annotated with @PreMatching
which means that the filter is invoked before matching phase (uri -> resource). 您的
AuthorizationFilter
也必须使用@PreMatching
进行注释,这意味着在匹配阶段(uri - > resource)之前调用过滤器。 Otherwise filters registered by RolesAllowedDynamicFeature
(invoked during this phase) won't see the custom SecurityContext
. 否则,
RolesAllowedDynamicFeature
注册的过滤器(在此阶段调用)将不会看到自定义的SecurityContext
。
Jersey User Guide - Authorization - securing resources Jersey用户指南 - 授权 - 保护资源
In a real application, defining your own ResourceConfig
means you have to edit it every time you add a new resource (class). 在实际应用程序中,定义自己的
ResourceConfig
意味着每次添加新资源(类)时都必须对其进行编辑。
A nice way to avoid that problem is to register the RolesAllowedDynamicFeature
class in an <init-param>
to the <servlet>
in your web.xml
like this: 避免该问题的一个好方法是将
<init-param>
的RolesAllowedDynamicFeature
类注册到web.xml
的<servlet>
,如下所示:
<servlet>
<servlet-name>your_servelet_name</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.classnames</param-name>
<param-value>org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature</param-value>
</init-param>
If you do that then you can put this in to dynamically register all resources in particular packages: 如果您这样做,那么您可以将其放入以动态注册特定包中的所有资源:
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>com.your-domain.your-packages-1,com.your-domain.your-packages-2</param-value>
</init-param>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.