I currently have a web service running some basic authentication through Tomcat. I get the login box to pop up fine, and I can log in with accounts I have defined in the tomcat-users.xml file. However, when it comes to defining permissions based on roles, I'm having some issues.
Currently, I have three roles: manager, admin, and user. I have a few methods which should be only accessible by, say, an admin role. I can log in as my manager/admin/user super account and see everything just fine- but I can do the same as a normal user as well.
The methods are defined like so:
@Path("/Test")
@RolesAllowed("admin")
public class Test
{
@GET
@RolesAllowed("user")
public methodThatMyUsersCanAcess{}
@GET
@Path("/Secure")
@RolesAllowed("admin")
public methodThatOnlyAdminsCanAcess{}
}
I'm really not sure how a 'user' role would be able to access the second method, but somehow it still happens.
After some more investigation, I discovered that using @RolesAllowed
was doing nothing in my code due to the way my web.xml file was configured. I decided to move in the direction of setting authentication by URI path. This is done through modifying the web.xml to allow a subset of users to access each path under separate <security-constraint>
tags. I found my best resource for this here: http://www.coderanch.com/t/176095/java-Web-Component-SCWCD/certification/auth-constraint-confusion in the second post.
The key point is to configure RolesAllowedResourceFilterFactory
in web.xml, as below:
<servlet>
<servlet-name>jersey-servlet</servlet-name>
<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.mycompany.mobile.rest</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.feature.Trace</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ContainerRequestFilters</param-name>
<param-value>com.mycompany.mobile.rest.filter.RestSecurityFilter</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.