问题描述

我已经花了数小时在嵌入式Jetty 9.1.0.v20131115和RESTEasy 3.0.5.Final中安装自定义登录服务.我的登录服务将在数据库中查找用户并为其分配角色.看起来像这样:

I've spend hours installing a custom login service in embedded Jetty 9.1.0.v20131115 and RESTEasy 3.0.5.Final. My login service will look users up in a database and assign them roles. It looks something like this:

final Constraint restConstraint = new Constraint();
restConstraint.setName(Constraint.__BASIC_AUTH);
restConstraint.setRoles(new String[]{"user", "admin");
restConstraint.setAuthenticate(true);
final ConstraintMapping restConstraintMapping = new ConstraintMapping();
restConstraintMapping.setConstraint(restConstraint);
restConstraintMapping.setPathSpec("/api/*");
final ConstraintSecurityHandler restSecurityHandler = new ConstraintSecurityHandler();
final LoginService myLoginService = new MyLoginService();
restSecurityHandler.setAuthenticator(new BasicAuthenticator());
restSecurityHandler.setRealmName(myLoginService.getName());
restSecurityHandler.addConstraintMapping(restConstraintMapping);
restSecurityHandler.setLoginService(myLoginService);

我有角色user的用户joe-user和同时具有user和admin角色的jane-admin.我有一个名为my-resource的REST GET资源，标记为:

I have users joe-user who has the role of user, and jane-admin who has both user and admin roles. I have a REST GET resource named my-resource marked with:

@RolesAllowed("admin")

当我在my-resource上执行HTTP GET时，浏览器正确地请求了凭据，并且我可以以joe-user或jane-admin身份登录.问题是任何一个用户都可以GET my-resource !!

When I do an HTTP GET on my-resource, the browser correctly requests credentials, and I can login as either joe-user or jane-admin. The problem is that either user is allowed to GET my-resource!!

我已经找到了一些Jetty代码，实际上，由于上​​面的登录服务，Jetty询问登录用户支持哪些角色.不幸的是，无论用户是谁，Jetty都将接受我在restConstraint.setRoles(new String[]{"user", "admin")中指定的任何角色.

I've traced through some of the Jetty code, and indeed, as a result of my login service above, Jetty asks the login user which roles is supported. Unfortunately, Jetty will accept any of the roles I've specified in restConstraint.setRoles(new String[]{"user", "admin"), regardless of the user.

显然，应该是RESTEasy层才能识别@RolesAllowed("admin")批注并验证用户.但是我如何获得RESTEasy的帮助呢?

Apparently it is the RESTEasy layer that is supposed to recognize the @RolesAllowed("admin") annotation and validate the user. But how do I get RESTEasy to do that?

推荐答案

在，我发现为了使RESTEasy能够使用@RolesAllowed批注，必须打开web.xml文件中的resteasy.role.based.security上下文参数开关.或以编程方式，例如我正在做的事情:

With a little help from the RESTEasy documentation, I found out that in order for RESTEasy to honor the @RolesAllowed annotations, one must turn on the resteasy.role.based.security context parameter switch in the web.xml file; or programatically, as I am doing:

final ServletHolder servletHolder = new ServletHolder(new HttpServlet30Dispatcher());
servletHolder.setInitParameter("javax.ws.rs.Application", MyApplication.class.getName());
servletHolder.setInitParameter("resteasy.role.based.security", String.valueOf(true));
contextHandler.addServlet(servletHolder, "/api/*");

这篇关于RESTEasy支持JAX-RS @RolesAllowed的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！