带有Jersey和会话管理的REST授权
[英]REST authorization with Jersey and session management
问题描述
I have a RESTful Java backend with Jersey. 
我在Jersey上有一个RESTful Java后端。 The thing is that I don´t know how to implement authorization for the methods. 问题是我不知道如何实现方法的授权。 I mean how do I check a user is authorized to use a given method of my REST API? 我的意思是如何检查用户是否有权使用我的REST API的给定方法?
Of course if I look for "Jersey authorization", I have those nice annotations like @RolesAllowed, @PermitAll and @DenyAll. 当然,如果我要查找“ Jersey授权”,我会使用@ RolesAllowed,@ PermitAll和@DenyAll之类的漂亮注释。 However those annotations act against the server realm, with the users of the server, nothing to do with your application users that you store in the database. 但是,这些批注与服务器用户的服务器领域无关,与您存储在数据库中的应用程序用户无关。
So for the sake authorization, what should I do? 因此,为了授权,我该怎么办? I define a filter that checks if the user is logged in in my application? 我定义了一个过滤器来检查用户是否已登录我的应用程序? I have to apply the filter to the REST endpoints that need authentication? 我必须将过滤器应用于需要身份验证的REST端点吗?
This seems a bit "like the old days", that´s why I´m asking the better way to do it. 这似乎有点像“过去”,这就是为什么我要寻求更好的方法。
2 个解决方案
解决方案1
4 2015-10-01 15:54:41
So for the sake authorization, what should I do?
Well... i guess you will not be happy but that is basically what you need to do. 好吧...我想你不会很高兴,但这基本上就是你需要做的。
Some code advice; 一些代码建议;
public class Application extends ResourceConfig {
public Application() {
super();
register(RolesAllowedDynamicFeature.class); // this is for @RolesAllowed
register(AuthenticationRequestFilter.class); // your auth filter
}
}
Then, for basic auth I do: 然后,对于基本身份验证,我这样做:
@PreMatching
public class AuthenticationRequestFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext request) throws IOException {
String authorization = request.getHeaderString("Authorization"); // get BasicAuth header
if (StringUtils.isNotEmpty(authorization) && StringUtils.startsWith(authorization, "Basic")) {
... do the password check... you have base64 encrypted string here
request.setSecurityContext(new SecurityContext(){
...implementation...
});
}}}
But well, most of the work you need to do by yourself. 但是好吧,您需要自己完成大部分工作。
EDIT For the @RolesAllowed to work properly you need to set a SecurityContext in your authentication filter. 编辑为了使@RolesAllowed正常工作,您需要在身份验证过滤器中设置SecurityContext 。 And if the user is authenticated you need to set a proper context (like i do in the above code snipet). 如果用户通过了身份验证,则需要设置适当的上下文(就像我在上面的代码片段中所做的那样)。
This context actually allows you to do whatever logic you like to check for roles, username etc. with its methods; 实际上,此上下文允许您使用其方法执行想要检查角色,用户名等的任何逻辑; for example my implementation is: 例如我的实现是:
public class AuthorizedContext implements SecurityContext {
private final InternalUserBean user;
public AuthorizedContext(InternalUserBean user) {
this.user = user;
}
@Override
public Principal getUserPrincipal() {
return () -> getUser().getUsername();
}
@Override
public boolean isUserInRole(String s) {
// this does the proper check for @RolesAllowed annotation.
return StringUtils.equals(s, getUser().getRole());
}
@Override
public boolean isSecure() {
return false;
}
@Override
public String getAuthenticationScheme() {
return "YourRealmName";
}
public InternalUserBean getUser() {
return user;
}
}
解决方案2
1 已采纳 2015-10-05 14:51:35
After reading A LOT, I found a really good (and cool solution) here: 看了很多之后,我在这里找到了一个非常好的(很酷的解决方案):
Jersey Request Filter only on certain URI 球衣请求过滤器仅在某些URI上
So, in order to check authorization only for those methods annotated with your custom annotation (your authorization ContainerRequestFilter only filters the annotated methods of your REST API). 因此,为了仅检查那些使用您的自定义注释注释的方法的授权(您的授权ContainerRequestFilter仅过滤REST API的注释方法)。 I named it @AuthorizationRequired 我将其命名为@AuthorizationRequired
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.