问题描述
我有一个受SSO实现Shibboleth保护的Jersey API. Shibboleth将已登录用户的ID放入request属性中.在后端,我正在使用Shiro进行授权. Shiro想知道已登录的用户,以便它可以加载权限.
I've got a Jersey API that's protected by Shibboleth, an SSO implementation. Shibboleth puts the id of the logged-in user in a request attribute. On the back end, I'm using Shiro for authorization. Shiro would like to know the logged-in user so it can load up permissions.
将userId移出请求属性并放入Shiro的正确方法是什么?现在,我正在尝试的是:
What is the correct way to get that userId out of the request attribute and into Shiro? Right now, what I'm trying is:
@Provider
public final class ShiroLoginFilter implements ContainerRequestFilter {
@Context
private HttpServletRequest request;
@Override
public void filter(final ContainerRequestContext requestContext)
throws IOException {
final String userId = (String) this.request.getAttribute("nameid");
final Subject subject = SecurityUtils.getSubject();
subject.login(new LocusAuthenticationToken(userId));
}
}
不幸的是,由于 JERSEY-1960 ,我无法注入请求上下文进入过滤器.每个用户都需要登录"才能加载权限.我宁愿不必在API的每种方法中都重复登录代码.我的老板也不允许我使用web.xml过滤器.我在这里有什么好的选择吗?
Unfortunately, due to JERSEY-1960, I can't inject the request context into a filter. Every user needs to "login" in order to load permissions. I'd rather not have to repeat the login code in every method of the API. I am also not permitted to use a web.xml filter (by my boss). Do I have any good option here?
推荐答案
您还应该能够通过ContainerRequestContext#getProperty ,如该方法的JavaDoc中所述:
You should also be able to obtain ServletRequest attributes directly from ContainerRequestContext via ContainerRequestContext#getProperty as described in the JavaDoc of the method:
注意:自Jersey 2.4(于2013年10月发布)以来,注入HttpServletRequest应该可以正常工作.
Note: Injecting HttpServletRequest should work as expected since Jersey 2.4 (released in 10.2013).
这篇关于在Jersey ContainerRequestFilter中读取请求属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!