保护平针织RESTful Web服务
[英]Securing a jersey RESTful web service
问题描述
I'm developing a restful web service that will be consumed by an Android application later on. 
我正在开发一个宁静的Web服务,稍后将由Android应用程序使用。
Right now, I'm seeking a way to secure the access to my resources: 现在,我正在寻找一种方法来保护对我资源的访问:
I found several ways for implementing that on the net, but I can't figure out what is the most appropriate one. 我找到了几种在网上实现的方法,但我无法弄清楚什么是最合适的方法。
For example, I found that Oauth specifications are more convenient for third-party applications which is not my case. 例如,我发现Oauth规范对于第三方应用程序来说更方便,这不是我的情况。
So what are the most suitable ways for securing jersey APIs, and I'll be glad if someone can provide me with any tutorials/documentations on that. 那么什么是最适合保护球衣API的方法,如果有人可以为我提供任何教程/文件,我会很高兴。
- I'm using a Glassfish v4 server and the Jersey JAX-RS implementation. 我正在使用Glassfish v4服务器和Jersey JAX-RS实现。
2 个解决方案
解决方案1
1 2014-07-23 15:04:37
After looking at different options I used an authentication filter and basic auth. 在查看了不同的选项后,我使用了身份验证过滤器和基本身份验证。 Very easy to implement. 很容易实现。
Some example code: 一些示例代码:
You need a filter 你需要一个过滤器
public class AuthFilter implements ResourceFilter, ContainerRequestFilter {
...
}
And a security context: 和安全上下文:
public class MySecurityContext implements SecurityContext {
...
}
And a user class: 用户类:
public class User implements Serializable, Principal {
...
}
Finally, you can add the filters you need like so: (pass your ResourceConfig object to this function) 最后,您可以添加所需的过滤器:(将ResourceConfig对象传递给此函数)
private void prepareFilters(ResourceConfig rc) {
rc.getProperties().put("com.sun.jersey.spi.container.ContainerRequestFilters",
getClassListing(new Class[]{
AuthFilter.class
}));
rc.getProperties().put("com.sun.jersey.spi.container.ContainerResponseFilters",
getClassListing(new Class[]{
CORSFilter.class, //You might not need this
GZIPContentEncodingFilter.class //You might not need this
}));
rc.getProperties().put("com.sun.jersey.spi.container.ResourceFilters",
getClassListing(new Class[]{
RolesAllowedResourceFilterFactory.class
}));
}
BTW, you can add @Context SecurityContext securityContext; 顺便说一句,你可以添加@Context SecurityContext securityContext; to your resource class(es) or the individual methods for more fine grained access control. 到您的资源类或单个方法,以获得更细粒度的访问控制。 The SecurityContext will be injected into the context of your resource so you can access the User object per request with SecurityContext将被注入资源的上下文中,因此您可以使用每个请求访问User对象
With this setup you can annotate your REST methods with @PermitAll , @RolesAllowed , etc which gives you a good level of control over your RESTful interface. 通过此设置,您可以使用@PermitAll , @RolesAllowed等对REST方法进行@PermitAll ,从而为您提供对RESTful界面的良好控制。
I just finished my stateless (without sessions) user auth and management with Jersey. 我刚刚完成了我的无状态(没有会话)用户身份验证和泽西岛管理。 Let me know if you want a full example or if you want to give it a try yourself ;) 如果你想要一个完整的例子,或者你想自己尝试一下,请告诉我;)
解决方案2
0 2014-07-23 04:09:48
The simplest way would be using the Java EE build-in Container Managed Security model to secure your rest resources as described in this tutorial . 最简单的方法是使用Java EE内置容器管理安全模型来保护您的其余资源,如本教程中所述 。 It allows you to configure the security based on users and roles stored in a database or file realm in the web.xml or the the classes themselves. 它允许您根据存储在web.xml中的数据库或文件域中的用户和角色或类本身来配置安全性。 The disadvantage would be that you must start a session, extract the JSESSIONID and send it in each of your requests so that the server can verify it, but that makes your services more 'stateful' and violates the statelessness of the rest architecture. 缺点是您必须启动会话,提取JSESSIONID并在每个请求中发送它,以便服务器可以验证它,但这会使您的服务更“有状态”并违反其余架构的无状态。 Another way would be implementing custom security by using WebFilters, like sending the user name and password with each of your requests and verity them based on the information in a special db. 另一种方法是使用WebFilters实现自定义安全性,例如使用每个请求发送用户名和密码,并根据特殊数据库中的信息对其进行验证。 If the information doesn't match the information stored in the database a redirect or a special error code can be returend in the Response object. 如果信息与存储在数据库中的信息不匹配,则可以在Response对象中重定向或特殊错误代码。
The best approach I think is using OAuth2 as described in this specification . 我认为最好的方法是使用OAuth2,如本规范中所述 。 Dependend on what kind of client you are using (desktop, web page, mobile client) there are different workflows and apart from that lots of benefits like creating tokens for special scopes of your application (read-only or full access,...). 根据您使用的客户端类型(桌面,网页,移动客户端),有不同的工作流程,除了许多好处,例如为应用程序的特殊范围创建令牌(只读或完全访问,...) 。 Google provides many different apis that can be accessed by the same account. Google提供了许多可以通过同一帐户访问的不同api。 If an applications only needs data from the calendar api, the requested token only gives you access to this special api and not to the entire resources of the account (like mail data, notes, etc). 如果应用程序仅需要来自日历api的数据,则所请求的令牌仅允许您访问此特殊API,而不是帐户的整个资源(如邮件数据,备注等)。 Another point would be that the security handling is decoupled from the client and no password must be stored in the client application. 另一点是安全处理与客户端分离,并且客户端应用程序中不必存储密码。 You can either implement everything on your own or use a open source project like this . 您既可以自己实现所有内容,也可以使用像这样的开源项目。 It provides a description on how it works and the code is very good but it has many dependencies to spring frameworks. 它提供了有关它如何工作的描述,代码非常好,但它对spring框架有很多依赖性。 For my use case I've startend replacing them by vanilla Java EE 7 code and create a solution based on the idea of this open source project. 对于我的用例,我开始用vanilla Java EE 7代码替换它们,并根据这个开源项目的想法创建一个解决方案。 The reason behind the replacements was that it's more future-proof and it avoids class loader problems during the deployment. 替换背后的原因是它更具有前瞻性,并且在部署期间避免了类加载器问题。
In the Android app a Authenticator can be implemented for secure storing of the token. 在Android应用程序中,可以实现Authenticator以安全地存储令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.