dropwizard中的身份验证流程

Question

I have gone through many forum to understand the flow but still confuse with the correct flow.

I am using Dropwizard and First I wanted to get token from REST API (Username & password will be provided in Basic auth) then next time this token will be pass in every request.

Main Class

    environment.jersey()
                .register(
                        new AuthDynamicFeature(
                                new JwtAuthFilter.Builder<User>()
                                        .setAuthenticator(new MarginCalcAuthenticator())
                                        .setAuthorizer(
                                                new CalcAuthorizer())
                                        .setRealm("BASIC-AUTH-REALM")
                                        .buildAuthFilter()));
environment.jersey().register(RolesAllowedDynamicFeature.class);
        environment.jersey().register(new AuthValueFactoryProvider.Binder<User>(User.class));

AuthFilter

@Priority(Priorities.AUTHENTICATION)
public class JwtAuthFilter<P extends Principal> extends AuthFilter<JWTCredentials, P> {

    private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthFilter.class);
    public static final String AUTHENTICATION_HEADER = "Authorization";

    @Override
    public void filter(final ContainerRequestContext requestContext) throws IOException {
        String authCredentials = requestContext.getHeaderString(AUTHENTICATION_HEADER);

Authenticator

public class CalcAuthenticator implements Authenticator<JWTCredentials, User> {

    public Optional<User> authenticate(JWTCredentials credentials)
            throws AuthenticationException {
        AdminAuthenticationService authService = new AdminAuthenticationService();

        User userObj = authService.authenticate(credentials.getJwtToken());
        if (userObj == null) {
            throw new WebApplicationException(Status.UNAUTHORIZED);
        }
        return Optional.of(userObj);
    }

}

REST API Resource class

@GET
    @Path("token")
    @Produces(MediaType.TEXT_PLAIN)
    public Response genToken(@Context SecurityContext sc){
        return Response
                .ok()
                .header("Authorization", "Bearer "+AdminAuthenticationService.issueToken((br.dc.auth.User) sc
                        .getUserPrincipal())).build();
    }

I am debugging from Postman and it is hitting my API genToken but it never came to JwtAuthFilter or CalcAuthenticator. Can anyone help me to understand the flow ? I want to understand the flow.

Answer 1

As Paul mention class or method annotated with @RolesAllowed (or any other authz anno) is required for authentication. The auth is only done on methods (or classes) you tell it to.

Flow Register your filter, Authenticator etc with the Environment -> start your server -> request the token from UI or postman -> It will hit your AuthFilter -> You can call your authenticator for token validation -> Authenticate your request and send the response accordingly.