本文介绍了验证之前未执行Jersey2 ContainerRequestFilter的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试使我的jersey2 Web应用程序安全.

I am trying to get security working with my jersey2 web app.

我在ResourceConfig中注册了RolesAllowedDynamicFeature和具有AUTHENTICATION优先级的请求过滤器

I register RolesAllowedDynamicFeature and my Request filter with AUTHENTICATION priority in my ResourceConfig

packages("example.jersey");
register(MyRequestFilter.class, Priorities.AUTHENTICATION);
register(RolesAllowedDynamicFeature.class);

我在方法中添加了@RolesAllowed

I added @RolesAllowed to the method

@RolesAllowed("quinn")
@GET
@Path("/")
public Response getIt(@Context UriInfo uriInfo) {
    return Response.ok().entity(service.get()).build();
}

在请求过滤器中,我设置了安全上下文

In my request filter I set my security context

SecurityContext securityContext = containerRequestContext.getSecurityContext();
containerRequestContext.setSecurityContext(new MySecurityContext("gary", securityContext));

当我从邮递员处调用该方法时,我收到403-禁止访问

When I call the method from postman I get a 403 - Forbidden

我在请求过滤器中添加了日志记录,以查看何时调用.它没有被调用.

I added logging to my request filter to see when it is called. It is NOT called.

如果我从网络方法中删除@RolesAllowed,它将调用请求过滤器.

If I remove the @RolesAllowed from the web method it does call the request filter.

似乎是优先事项.身份验证并没有改变.

It seems the Priorities.AUTHENTICATION is not making a difference.

有什么我想念的吗?

推荐答案

您的过滤器实现为匹配后过滤器.这意味着仅在选择了合适的资源方法以处理实际请求之后,即在发生请求匹配之后,才应用过滤器.请求匹配是根据请求路径和其他请求参数查找应执行的资源方法的过程.

Your filter is implemented as a post-matching filter. It means that the filters would be applied only after a suitable resource method has been selected to process the actual request i.e. after request matching happens. Request matching is the process of finding a resource method that should be executed based on the request path and other request parameters.

@RolesAllowed阻止对特定资源方法的选择,使您提到未执行"行为.

@RolesAllowed blocks the selection of the particular resource method giving you the 'not executing' behavior you mentioned.

您有两个选择...使用 @PreMatching,如此处所述.

You have two options... using @PreMatching as explained here.

或者,按照自定义注释中的说明进行操作类似的问题.

Or, use custom annotations as explained on a similar question.

这篇关于验证之前未执行Jersey2 ContainerRequestFilter的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-22 19:45
查看更多