我正在尝试使用JAX-RS过滤器对用户进行身份验证，到目前为止似乎还行得通。这是我要设置新SecurityContext的过滤器:

@Provider
public class AuthenticationFilter implements ContainerRequestFilter {

  @Override
  public void filter(final ContainerRequestContext requestContext) throws IOException {

    requestContext.setSecurityContext(new SecurityContext() {
      @Override
      public Principal getUserPrincipal() {
        return new Principal() {
          @Override
          public String getName() {
            return "Joe";
          }
        };
      }

      @Override
      public boolean isUserInRole(String string) {
        return false;
      }

      @Override
      public boolean isSecure() {
        return requestContext.getSecurityContext().isSecure();
      }

      @Override
      public String getAuthenticationScheme() {
        return requestContext.getSecurityContext().getAuthenticationScheme();
      }
    });

    if (!isAuthenticated(requestContext)) {
      requestContext.abortWith(
              Response.status(Status.UNAUTHORIZED)
              .header(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"Example\"")
              .entity("Login required.").build());
    }
  }

  private boolean isAuthenticated(final ContainerRequestContext requestContext) {
    return requestContext.getHeaderString("authorization") != null; // simplified
  }
}

  @GET
  // @RolesAllowed("user")
  public Viewable get(@Context SecurityContext context) {
    System.out.println(context.getUserPrincipal().getName());
    System.out.println(context.isUserInRole("user"));
    return new Viewable("index");
  }

.register(RolesAllowedDynamicFeature.class)

您需要为身份验证过滤器定义优先级，否则RolesAllowedRequestFilter中的RolesAllowedDynamicFeature将在AuthenticationFilter之前执行。如果您查看源代码，则RolesAllowedRequestFilter具有注释@Priority(Priorities.AUTHORIZATION)，因此，如果将@Priority(Priorities.AUTHENTICATION)分配给身份验证过滤器，它将在RolesAllowedRequestFilter之前执行。像这样:

@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter {