stackoom
  简体   繁体   中英

Dropwizard View authentication by example

 原文  2015-11-12 19:59:18       java/ authentication/ cookies/ shiro/ dropwizard

Question

I'm familiar with implementing BasicAuth security in Dropwizard, but only for RESTful endpoints/resources.

I am now experimenting with Dropwizard Views to see if I can use it to be both a web and REST server all in one. The web app will have "public" pages (that are really just static HTML files; "About Us", "Contact Us", etc.) as well as "private" (dynamic) pages, which really form the app. To get to these pages the user must be authenticated (logged in).

So this means I have the need for two distinct DW authentication mechanisms:

  • A typical DW security mechanism for authenticating REST API clients, which I'm familiar with; and
  • A way to implement a log in system for authenticating end users for the web app pages/resources

Ideally, I'd like Apache Shiro to handle all auth for my system (REST and web alike), and I see the Dropwizard-Shiro lib, but that seems to only authenticate REST endpoints.

My web login system need to work like so:

  1. A user tries to go to an "authenticated" (private) URL.
  2. A servlet filter (that I create myself and register with the environment ) intercepts the request and can tell (perhaps a cookie/session var?) whether the user is authenticated or not.
  3. If the user is authenticated, they are allowed to proceed to their intended URL (" target URL "). Otherwise they are redirected to a login page. When they login a DW resource/controller hands their credentials off to Shiro, who then decides whether the credentials are valid or not.
  4. If the credentials are valid, they get a cookie/session var (?) and are redirected to their target URL. Otherwise they are redirected back to the login page which will now display a failure message.

My main concerns are: * What should I implement for the cookie/session var that the servlet will check for? ; and * How do I integrate my auth controller (that is, the resource that handles redirection between the login page and the target URL) with Shiro? Is it possible to do this via that Dropwizard-Shiro lib?

My best attempt thus far:

Custom Servlet Filter (registered with environment ): 

public class AuthFilter implements ContainerResponseFilter {
    @Override
    public void filter(ContainerRequestContext requestContext, 
            ContainerResponseContext responseContext) {
        Cookie[] cookies = requestContext.getCookies();
        boolean authenticated = false;
        for(Cookie cookie : cookies) {
            // 1. This is my first concern. What is better/more secure
            //    than what I'm doing here?
            if("my_app_auth_cookie".equals(cookie.getName())) {
                authenticated = true;
            }
        }

        if(authenticated == false) {
            responseContext.sendDirect("/auth/login");
        }
    }
}

If they are not authenticated they redirect to /auth/login which hits a AuthController (again, registered with the environment as a resource): 

@Path("/auth")
@Produces(MediaType.TEXT_HTML)
public class AuthController {
    @GET
    @Path("/login")
    public LoginPageView login() {
        // Render some "login.ftl" template as HTML.
    }

    @POST
    @Path("/authenticate")
    public ??? authenticate(??? username, ??? password) {
        // 2. Somehow send 'username' and 'password' to Shiro...
        MyAppUser user = myAppRealm.authenticate(username, password);

        // Now what do I do with 'user'?
    }
}

When the user submits the form on the login page (which might be a POST to /auth/authenticate ) we somehow hand their inputted credentials off to Shiro (again I'd like to use that Dropwizard-Shiro lib since I will likely also be using it for my REST endpoints).

1 answers

solution1
 2 ACCPTED  2015-11-12 23:22:38

Apache Shiro has its own type of filters which are configured in shiro.ini .

Example: 

[urls]
/api/** = noSessionCreation, authcBasic
/views/login = authc
/views/authenticated = authc, user

Configure the authc filter to redirect to a login form page that you implement. Use the filter's form parameters and POST to /views/login .

If you enable the session manager in Jetty, Shiro should create servlet sessions when they log in from the login form page.

Please note that I haven't actually tested this configuration.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question DropWizard Auth by Example OAuth authentication with DropWizard How to do authentication in dropwizard authentication flow in dropwizard How to do Basic Authentication of a resource in Dropwizard How to view custom 404 page in Dropwizard Dropwizard update View from POST method Dropwizard example giving 400 error when creating new resource Creating JSON Web Tokens through Basic Authentication endpoint? Dropwizard How to create a GET request inside the dropwizard authentication method?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM