将Spring Security 3与jersey rest api结合使用
[英]combining spring security 3 with jersey rest api
问题描述
I have a scenario where I am trying to combine spring security with jersey for my REST API. 
我有一种情况,我试图将Spring Security与jersey结合使用以实现我的REST API。
My need is rather complicated (I think) and it is as follows: 我的需求相当复杂(我认为),具体如下:
Spring security is being used to intercept urls and forcing basic authentication in order to access a REST resource. Spring安全性被用来拦截URL并强制进行基本身份验证以访问REST资源。 This seems to be ok as I am using http client to test this. 这似乎没问题,因为我正在使用http客户端对此进行测试。
However what I want to do is somehow access the User object that is loaded to check some additional permissions that hang off the user (a map object with boolean flags to indicate if object properties are visible or not). 但是,我想做的是以某种方式访问已加载的User对象,以检查挂在用户身上的其他权限(带有布尔标志的Map对象,用于指示对象属性是否可见)。 The code that does the loading works, but after spring authenticates how do I then access the User object in the actual REST Resource method itself?? 可以执行加载的代码,但是在spring验证之后,我该如何在实际的REST Resource方法本身中访问User对象? Is this possible? 这可能吗?
So the steps are: 因此,步骤如下:
1) Client makes a REST API call 2) Spring intercepts URL checks username and password supplied in the http header 3) The rest resource method is then accessed if valid credentials are present 1)客户端进行REST API调用2)Spring截取URL检查HTTP头中提供的用户名和密码3)如果存在有效的凭据,则将访问rest资源方法
But before step 3, I want to somehow pass on the loaded User object to the actual Resource method itself so I can further apply some logic to restrict what the user can see based on the permissions that I have loaded??? 但是在第3步之前,我想以某种方式将已加载的User对象传递给实际的Resource方法本身,以便我可以进一步应用一些逻辑以限制基于我已加载的权限用户可以看到的内容? Is this possible? 这可能吗? I think I have seen some code somewhere that checks for User Roles before a method is accessed using Spring and REST but if anyone has any links or ideas that would be excellent. 我想我已经在某些地方看到了一些代码,这些代码可以在使用Spring和REST访问方法之前检查用户角色,但是如果有人有任何链接或想法非常好。
Please help if you can. 如果可以的话请帮忙。 thank you so much. 非常感谢。
1 个解决方案
解决方案1
5 已采纳 2011-11-18 15:05:05
I solved this by using a request-scoped proxy which was constructed by a bean factory. 我通过使用由bean工厂构造的请求范围的代理来解决此问题。
This allows you to simply inject your currently authenticated user into any spring managed bean, and in my case my Jersey Resources fell into that category. 这使您可以将当前已通过身份验证的用户简单地注入任何spring管理的bean中,在我的情况下,我的Jersey Resources属于该类。 I injected my user into the tier below the resources, but it's all the same. 我将用户注入到资源下方的层中,但是都一样。
Someone else elegantly blogged the full solution here. 有人优雅地在这里写了完整的解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.