Jersey REST服务上的用户身份验证
[英]User authentication on a Jersey REST service
问题描述
I am developing a REST application, which is using the Jersey framework. 
我正在开发一个使用Jersey框架的REST应用程序。 I would like to know how I can control user authentication. 我想知道如何控制用户身份验证。 I have searched many places, and the closest article I have found is this: http://weblogs.java.net/blog/2008/03/07/authentication-jersey . 我搜索了很多地方,我发现的最接近的文章是: http : //weblogs.java.net/blog/2008/03/07/authentication-jersey 。
However this article can only be used with a GlassFish server and an attached database. 但是,本文只能与GlassFish服务器和附加数据库一起使用。 Is there anyway that I can implement an interface in Jersey and use it as a filter before reaching the requested REST resource? 无论如何我可以在Jersey中实现一个接口并在到达请求的REST资源之前将其用作过滤器吗?
I want to use basic authentication right now, but it should be flexible enough such that I can change that at a later time. 我现在想要使用基本身份验证,但它应该足够灵活,以便我可以在以后更改它。
5 个解决方案
解决方案1
32 已采纳 2010-05-25 08:45:39
I'm sucessfully using spring security for securing my Jersey-based API. 我成功地使用spring security来保护我的基于Jersey的API。 It has pluggable authentication schemes allowing you to switch from Basic Auth to something else later. 它具有可插拔的身份验证方案,允许您稍后从Basic Auth切换到其他内容。 I'm not using Spring in general, just the security stuff. 我一般不使用Spring,只是安全性。
Here is the relevant part from my web.xml 这是我的web.xml中的相关部分
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/security-applicationContext.xml,
/WEB-INF/applicationContext.xml
</param-value>
</context-param>
<!-- Enables Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>springSecurityFilterChain</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
You can leave applicationContext.xml empty (<beans></beans>). 您可以将applicationContext.xml保留为空(<beans> </ beans>)。 An example of the security-applicationContext.xml can be found here 可以在此处找到security-applicationContext.xml的示例
解决方案2
8 2010-05-27 03:28:08
I'm working on something similar to this. 我正在做类似的事情。 In my implementation, we have Apache httpd front-ended to handle HTTP Basic authentication and it simply forwards all requests with some header information containing the user and roles. 在我的实现中,我们使用Apache httpd前端来处理HTTP基本身份验证,它只是使用包含用户和角色的一些头信息转发所有请求。
From that, I'm working on parsing these pieces out using a servlet filter to wrap the HttpServletRequest using a post I found on CodeRanch . 从那时起,我正在使用servlet过滤器解析这些部分,使用我在CodeRanch上找到的帖子来包装HttpServletRequest 。 This allows me to use the javax.annotation.security annotations like @RolesAllowed on each resource I want to filter. 这允许我在我想要过滤的每个资源上使用像@RolesAllowed这样的javax.annotation.security注释。 To get all of these pieces working, however, I had to add the following to my servlet in the web.xml : 但是,要使所有这些部分都正常工作,我必须在web.xml中将以下内容添加到我的servlet中:
<servlet>
<!-- some other settings and such
... -->
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
</init-param>
...
</servlet>
You might find that Eric Warriner's answer on a recent post of interest: Jersey, Tomcat and Security Annotations 您可能会发现Eric Warriner对最近感兴趣的帖子的回答: Jersey,Tomcat和Security Annotations
解决方案3
4 2013-04-19 20:02:13
Have a look here, I'm in the middle of trying it, but it looks promising: 看看这里,我正在尝试它,但看起来很有希望:
http://anismiles.wordpress.com/2012/03/02/securing-versioning-and-auditing-rest-jax-rs-jersey-apis/ http://anismiles.wordpress.com/2012/03/02/securing-versioning-and-auditing-rest-jax-rs-jersey-apis/
This example is much simpler than attempting to implement JASPI/JASPIC and gives better granularity to the individual methods (@RolesAllowed, @PermitAll, @DenyAll, etc...). 这个例子比尝试实现JASPI / JASPIC简单得多,并且为各个方法提供了更好的粒度(@ RolesAllowed,@ PermitAll,@ DenyAll等等)。
(I know this is an old thread, but just adding potentially useful information) (我知道这是一个旧线程,但只是添加了可能有用的信息)
解决方案4
3 2010-09-11 02:23:07
Sure, you can use a traditional servlet filter for this. 当然,您可以使用传统的servlet过滤器。
Add the filter to your web.xml, check for whatever authentication headers you're using (Basic or Digest), perform your authentication logic based on those values, and store the result in a session attribute. 将过滤器添加到web.xml,检查您正在使用的任何身份验证标头(基本或摘要),根据这些值执行身份验证逻辑,并将结果存储在会话属性中。 In your Jersey resource (ctor probably), extract the auth result from the session attribute and continue processing or not based on whether this is the result you require. 在您的Jersey资源(可能是ctor)中,从会话属性中提取auth结果并继续处理或不根据这是否是您需要的结果。
Your Jersey resource ctor would probably look like this: 您的Jersey资源ctor可能如下所示:
protected AbstractResource(@Context ServletContext servletContext,
@Context HttpServletRequest httpServletRequest) {
...
HttpSession session = httpServletRequest.getSession();
// get whatever you put in the session in the auth filter here and compare
}
解决方案5
2 2011-11-05 04:16:44
You can do it in two ways, either you write a simple servlet filter or you have to implement a ResourceFilterFactory and handle the auth in ContainerRequestFilter. 您可以通过两种方式完成此操作:要么编写简单的servlet过滤器,要么必须实现ResourceFilterFactory并在ContainerRequestFilter中处理auth。 The detailed code is in the link http://neopatel.blogspot.com/2011/11/jesey-writing-authentication-filter.html . 详细代码位于http://neopatel.blogspot.com/2011/11/jesey-writing-authentication-filter.html链接中。 I like the servlet filter approach personally as it give complete lifecycle control. 我个人喜欢servlet过滤器方法,因为它提供了完整的生命周期控制。 However if you need more specifc things like accessing QueryParams or PathParams then ResourceFilterFactory is the way to go. 但是,如果您需要更多特定的东西,比如访问QueryParams或PathParams,那么ResourceFilterFactory就是您的选择。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.