问题描述
我目前正在Tomcat 7中使用Jersey 2.5.1创建后端服务器。为了安全起见,我使用 @RolesAllowed , @PermitAll 等注释,我创建了自定义 ContainerRequestFilter 和 SecurityContext 。
I'm currently creating a backend server using Jersey 2.5.1 in a Tomcat 7. For the security I'm using the @RolesAllowed, @PermitAll etc. annotations, and I have created my custom ContainerRequestFilter and SecurityContext.
我的问题是,当我的 @RolesAllowed 注释资源被请求时,它总是拒绝许可,即使我强迫我的 isUserInRole(role)返回 true的方法。但是,我的过滤器方法被调用。你有什么建议吗?我将在下面粘贴一些相关代码。
My problem is that when my @RolesAllowed annotated resource is requested it always denies permission, even if I force my isUserInRole(role) method to return true. However, my filter method gets called. Do you have any suggestions? I'll paste some relevant code below.
我的 ContainerRequestFilter 实施:
public class AuthorizationFilter implements ContainerRequestFilter
{
@Override
public void filter(ContainerRequestContext request) throws IOException
{
request.setSecurityContext(new Authorizer());
}
}
我的 SecurityContext 实现:
public class Authorizer implements SecurityContext
{
@Override
public String getAuthenticationScheme() {
return null;
}
@Override
public Principal getUserPrincipal() {
return null;
}
@Override
public boolean isSecure() {
return false;
}
@Override
public boolean isUserInRole(String role) {
return true;
}
}
我的资源:
@Path("/secure")
public class TestSecureResource {
@GET
@PermitAll
@Path("/nonsec_test/{text}")
public Response nonSecureTest(
@PathParam("text") String text){
return Response.status(200).entity(text).build();
}
@GET
@RolesAllowed("admin")
@Path("/sec_test/{text}")
public Response secureTest(
@PathParam("text") String text){
return Response.status(200).entity(text).build();
}
}
我的 ResourceConfig :
@ApplicationPath("/")
public class MyApplication extends ResourceConfig {
public MyApplication() {
super(TestSecureResource.class);
register(RolesAllowedDynamicFeature.class);
register(AuthorizationFilter.class);
}
}
我的网页的相关部分.xml :
<servlet-name>Jersey Web Application</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>pkg.backend</param-value>
</init-param>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>pkg.backend.MyApplication</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
在这种特定情况下,我访问 secureTest 总是被拒绝。澄清事情;我收到HTTP状态码403 - 禁止。
In this specific case, my access to secureTest is always denied. To clarify things; I'm getting HTTP status code 403 - Forbidden.
提前谢谢你们
推荐答案
确保在 MyApplication 中注册了 AuthorizationFilter (参见)或使用进行注释(通过包扫描可以发现它。)
Make sure you have your AuthorizationFilter either registered in your MyApplication (see Registering Resources and Providers in Jersey 2) or annotated with @Provider (to make it discoverable by package scanning).
为了使用安全注释(包 javax.annotation.security )限制访问您需要注册的资源。
In order to use security annotations (package javax.annotation.security) to restrict access to your resources you need to register RolesAllowedDynamicFeature.
您的 AuthorizationFilter 还必须使用 @PreMatching 进行注释,这意味着在匹配阶段(uri)之前调用过滤器 - >资源)。否则, RolesAllowedDynamicFeature 注册的过滤器(在此阶段调用)将看不到自定义 SecurityContext 。
Your AuthorizationFilter has to be also annotated with @PreMatching which means that the filter is invoked before matching phase (uri -> resource). Otherwise filters registered by RolesAllowedDynamicFeature (invoked during this phase) won't see the custom SecurityContext.
泽西岛用户指南 -
Jersey User Guide - Authorization - securing resources
这篇关于SecurityContext不适用于@RolesAllowed的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!