[英]Authentication for separate services in rest API
我正在使用JAVA學習Rest api,除身份驗證外,我已經完成了大部分。 我創建了兩個Java Web服務buyerservice
和sellerservice
。 里面有許多具有特定路徑的子服務。
我想為上述服務創建單獨的身份驗證,以便賣家可以訪問SellerService,而買家可以訪問BuyerServices。 到目前為止,我已經為上述每個服務創建了一個過濾器類和兩個身份驗證服務類BuyerAuthService
和SellerAuthService
。 在身份驗證后的登錄Servlet中,我將用戶名和密碼的編碼base64值添加到“ Authorization”標簽下的cookie中。 因此,每次在過濾器類中,它都會獲取cookie並對其進行驗證。
這是過濾器類:
package com.shopping.client;
import java.io.IOException;
import java.util.Base64;
import java.util.StringTokenizer;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class RestAuthenticationFilter implements javax.servlet.Filter {
public static final String AUTHENTICATION_HEADER = "Authorization";
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filter) throws IOException, ServletException {
if (request instanceof HttpServletRequest) {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
Cookie[] cookies = httpServletRequest.getCookies();
String authCredentials = "";
for (int i = 0; i < cookies.length; i++) {
String name = cookies[i].getName();
String value = cookies[i].getValue();
if(name.equals(AUTHENTICATION_HEADER)){
authCredentials = value;
}
}
//System.out.println(authCredentials);
// better injected
final String encodedUserPassword = authCredentials.replaceFirst("Basic"
+ " ", "");
String usernameAndPassword = null;
try {
byte[] decodedBytes = Base64.getDecoder().decode(
encodedUserPassword);
usernameAndPassword = new String(decodedBytes, "UTF-8");
} catch (IOException e) {
e.printStackTrace();
}
final StringTokenizer tokenizer = new StringTokenizer(
usernameAndPassword, ":");
final String username = tokenizer.nextToken();
final String password = tokenizer.nextToken();
boolean authenticationStatus = false;
if(username.equals("buyerservice")){
BuyerAuthService buyAuth = new BuyerAuthService();
authenticationStatus = buyAuth.authenticate(username, password);
}
else if(username.equals("sellerservice"))
{
SellerAuthService sellAuth = new SellerAuthService();
authenticationStatus = sellAuth.authenticate(username, password);
}
if (authenticationStatus) {
filter.doFilter(request, response);
} else {
if (response instanceof HttpServletResponse) {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse
.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
}
}
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
這是我的買方身份驗證服務類方法:
public class BuyerAuthService {
public boolean authenticate(String username, String password) {
if (null == username)
return false;
boolean authenticationStatus = "buyerservice".equals(username)
&& "buyerservice".equals(password);
return authenticationStatus;
}
}
賣方身份驗證服務與上述相同,但具有用戶名和密碼之類的更改。
我的loginservlet是:
String authStringEnc = Base64.getEncoder().encodeToString(authString.getBytes("utf-8"));
System.out.println("Base64 encoded auth string: " + authStringEnc);
if(username.equals("sellerservice")){
SellerAuthService sellAuth = new SellerAuthService();
if(sellAuth.authenticate(username, password)){
Cookie cookie = new Cookie("Authorization", authStringEnc);
response.addCookie(cookie);
System.out.println("HeaderSet");
response.sendRedirect(URL);
}
else{
response.sendError(404, "Wrong username password combination");
}
}
else if(username.equals("buyerservice")){
BuyerAuthService buyAuth = new BuyerAuthService();
if(buyAuth.authenticate(username, password)){
Cookie cookie = new Cookie("Authorization", authStringEnc);
response.addCookie(cookie);
System.out.println("HeaderSet");
response.sendRedirect(URL);
}
else{
response.sendError(404, "Wrong username password combination");
}
}
else{
response.sendError(404, "Username doesn't exists");
}
我從登錄表單獲取用戶名和密碼。
上面的過濾器類的問題是,即使我登錄了sellerservice
,並嘗試訪問buyerservice
uris,我也可以訪問它。 但我希望將它們重定向到未經授權的html頁面。 請留意我的建議和幫助。 由於我是身份驗證的新手,因此任何適當的指導對我也有幫助。 提前致謝。!
我為每個服務添加了單獨的過濾器,並在web.xml文件中添加了相同的過濾器信息。
我的web.xml文件是
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>ElectronicsShopping</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>LoginServlet.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>Electronic Shopping</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>com.shopping.client,com.jersey.jaxb,com.fasterxml.jackson.jaxrs.json</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Electronic Shopping</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>SellerAuthenticationFilter</filter-name>
<filter-class>com.shopping.client.SellerAuthenticationFilter</filter-class>
</filter>
<filter>
<filter-name>BuyerAuthenticationFilter</filter-name>
<filter-class>com.shopping.client.BuyerAuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SellerAuthenticationFilter</filter-name>
<url-pattern>/rest/sellerservice/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>BuyerAuthenticationFilter</filter-name>
<url-pattern>/rest/buyerservice/*</url-pattern>
</filter-mapping>
</web-app>
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.