如何從請求中獲取用戶憑據?
[英]How to get user credentials from request?
問題描述
我正在研究與粗粒度授權有關的Restlet教程示例:
public class MyApiWithRoleAuthorization extends Application {
//Define role names
public static final String ROLE_USER = "user";
public static final String ROLE_OWNER = "owner";
@Override
public Restlet createInboundRoot() {
//Create the authenticator, the authorizer and the router that will be protected
ChallengeAuthenticator authenticator = createAuthenticator();
RoleAuthorizer authorizer = createRoleAuthorizer();
Router router = createRouter();
Router baseRouter = new Router(getContext());
//Protect the resource by enforcing authentication then authorization
authorizer.setNext(Resource0.class);
authenticator.setNext(baseRouter);
//Protect only the private resources with authorizer
//You could use several different authorizers to authorize different roles
baseRouter.attach("/resourceTypePrivate", authorizer);
baseRouter.attach("/resourceTypePublic", router);
return authenticator;
}
private ChallengeAuthenticator createAuthenticator() {
ChallengeAuthenticator guard = new ChallengeAuthenticator(
getContext(), ChallengeScheme.HTTP_BASIC, "realm");
//Create in-memory users with roles
MemoryRealm realm = new MemoryRealm();
User user = new User("user", "user");
realm.getUsers().add(user);
realm.map(user, Role.get(this, ROLE_USER));
User owner = new User("owner", "owner");
realm.getUsers().add(owner);
realm.map(owner, Role.get(this, ROLE_OWNER));
//Attach verifier to check authentication and enroler to determine roles
guard.setVerifier(realm.getVerifier());
guard.setEnroler(realm.getEnroler());
return guard;
}
private RoleAuthorizer createRoleAuthorizer() {
//Authorize owners and forbid users on roleAuth's children
RoleAuthorizer roleAuth = new RoleAuthorizer();
roleAuth.getAuthorizedRoles().add(Role.get(this, ROLE_OWNER));
roleAuth.getForbiddenRoles().add(Role.get(this, ROLE_USER));
return roleAuth;
}
private Router createRouter() {
//Attach Server Resources to given URL
Router router = new Router(getContext());
router.attach("/resource1/", Resource1.class);
router.attach("/resource2/", Resource2.class);
return router;
}
public static void main(String[] args) throws Exception {
//Attach application to http://localhost:9000/v1
Component c = new Component();
c.getServers().add(Protocol.HTTP, 9000);
c.getDefaultHost().attach("/v1", new MyApiWithRoleAuthorization());
c.start();
}
}
我創建一個用於檢查用戶憑據的類:
public class Resource1 extends ServerResource{
@Get
public String represent() throws Exception {
User user = getRequest().getClientInfo().getUser();
String identifier = user.getIdentifier();
char[] pass = user.getSecret();
return this.getClass().getSimpleName() + " found ! User: " + identifier +
"; password = " + charArrayToString(pass) ;
}
private String charArrayToString(char[] chars ) {
String result = "";
for (char c : chars){
result += c;
}
return result;
}
}
當我轉到資源http:// localhost:9000 / v1 / resourceTypePublic / resource1 /時 ,應用程序要求提供憑據,然后輸入“ user”,“ user”(或“ owner”,“ owner”)。 但是我收到內部服務器錯誤。 原因是變量在return語句中傳遞
return this.getClass().getSimpleName() + " found ! User: " + identifier +
"; password = " + charArrayToString(pass) ;
具有空值。 沒有該變量的語句可以正常工作:
return this.getClass().getSimpleName() + " found ! User: " + identifier;
並返回用戶登錄名。 但是秘密呢? 為什么盡管輸入了用戶密碼也返回空值?
1 個解決方案
解決方案1
0 2017-02-12 09:59:08
用語句創建的用戶對象
User user = getRequest().getClientInfo().getUser();
盡管具有密碼,但它不包含有關密碼的信息。 還有另一種獲取用戶憑據的方法:
char[] pass = getChallengeResponse().getSecret();
在Spring中,如何獲得其憑據不屬於當前http請求的當前用戶?
[英]In Spring how do you get the current user whose credentials are not part of the current http request?
如何讓Hadoop客戶端在安全(Kerberos)集群中使用正確的憑據
[英]How to get Hadoop client to user correct credentials in a secure (Kerberos) clusters
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.