问题描述
我需要在 Tomcat 6.0.24 容器中保护一个简单的 Jersey RESTful API.我想通过使用 tomcat-users.xml
文件定义用户和角色的基本身份验证来保持身份验证(这是现在,就像我说的很小).
I need to secure a simple Jersey RESTful API in a Tomcat 6.0.24 container. I'd like to keep the authentication with Basic Authentication using the tomcat-users.xml
file to define the users and roles (this is for now, like I said it's small).
现在,对于授权,我希望能够使用 JSR 250 注释,例如 @RolesAllowed
、@PermitAll
、@DenyAll
等
Now, for authorization I'd like to be able to use the JSR 250 annotations like @RolesAllowed
, @PermitAll
, @DenyAll
, etc.
我终其一生都无法弄清楚如何将这一切联系在一起.
I cannot for the life of me figure out how to wire this all up together.
我真的不想走 Spring Security 路线,因为我目前需要一些非常简单的东西.
I really don't want to go the Spring Security route, since I need something very simple at the current time.
有人能指出我正确的方向吗?
Can someone point me in the right direction?
推荐答案
您可以首先使用一个过滤器,它涵盖了身份验证和权限管理.通过实现 ResourceFilter 和 ContainerRequestFilter,您可以获取 httpRequest、会话,然后将您的应用程序/请求重定向到相关方法.
You can start with using a filter which covers the authentication and privilege management at first.with implemeting ResourceFilter and ContainerRequestFilter, you ability to get httpRequest, sessions then redirects your application/requests to related methods.
对于权限管理,您可以实现 SecurityContext 过滤器.您必须首先检查 isUserInRole 才能让请求进入方法.
For privilege management you can implement SecurityContext filter. you have to check isUserInRole at first to let request go inside method.
以下是 SecurityContext 实现的示例:
Here is the sample for SecurityContext implementation:
public class SecurityContextImpl implements SecurityContext {
private final SessionUser user;
public SecurityContextImpl(SessionUser user) {
this.user = user;
}
public Principal getUserPrincipal() {
return user;
}
public boolean isUserInRole(String role) {
if(user == null) {
throw new AuthenticationException();
}
if(ObjectUtil.isNull(user.getPrivileges())){
throw new AuthenticationException();
}
if(!user.getPrivileges().contains(role)) {
throw new InvalidAuthorizationHeaderException();
}
return user.getPrivileges().contains(role);
}
public boolean isSecure() {
return false;
}
public String getAuthenticationScheme() {
return SecurityContext.BASIC_AUTH;
}
}
这是基本的 SecurityContextFilter 实现:
Here is the basic SecurityContextFilter implementation :
public class SecurityContextFilter implements ResourceFilter, ContainerRequestFilter {
private static final Logger LOG = LoggerFactory.getLogger(SecurityContextFilter.class);
protected static final String HEADER_AUTHORIZATION = "Authorization";
protected static final String HEADER_DATE = "x-java-rest-date";
protected static final String HEADER_NONCE = "nonce";
private HttpServletRequest httpRequest;
public SecurityContextFilter() {
}
public ContainerRequest filter(ContainerRequest request) {
SessionUser sessionUser = (SessionUser) httpRequest
.getSession()
.getAttribute("sessionUser");
request.setSecurityContext(new SecurityContextImpl(sessionUser));
return request;
}
public ContainerRequestFilter getRequestFilter() {
return this;
}
public ContainerResponseFilter getResponseFilter() {
return null;
}
public HttpServletRequest getHttpRequest() {
return httpRequest;
}
public void setHttpRequest(HttpServletRequest httpRequest) {
this.httpRequest = httpRequest;
}
}
不要忘记将过滤器作为 init-param 放在 web.xml 中,
Do not forget to put your filter as an init-param inside the web.xml,
然后您可以使用您的角色-权限-身份验证逻辑来处理请求.
Then you can handle request with your role-privilege-authentication logic.
这篇关于Jersey、Tomcat 和安全注释的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!