我正在寻找一种方式来启用身份验证基于令牌在泽西。
我是尽量不使用特定的框架。这可能吗?
我想:
在当时的用户报名参加我的web服务,我的web服务生成的令牌,将它发送给客户端,客户端将保留。
然后为每个请求的客户端将不发送用户名或密码,但此令牌。
我在考虑使用自定义过滤器为每个请求和 @ preAuthorize(“hasRole(”角色“)”)的
但我认为这会导致很多的请求到数据库,看看如果令牌是正确的。
和不创建过滤器,并在每个请求把参数令牌?结果
因此,每个API首先检查标记,并执行一些获取资源之后
发布于 2018-02-07 10:00:29
我试图通过添加有关如何支持JSR-250注释的详细信息来扩展先前的答案。然而,最初的答案变成了太久并超过最大长度为30000字符因此,我将整个授权细节移到这个答案上,将另一个答案的重点放在执行身份验证和发出令牌上。
@Secured
注记除了显示在另一个中的身份验证流之外,回答,可以在其他端点中支持基于角色的授权。
根据您的需要定义角色创建一个枚举:
public enum Role {
ROLE_1,
ROLE_2,
ROLE_3
}
更改@Secured
之前创建的支持角色的名称绑定注释:
@NameBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface Secured {
Role[] value() default {};
}
然后用@Secured
执行授权。方法注释将覆盖类注释:
@Path("/example")
@Secured({Role.ROLE_1})
public class ExampleResource {
@GET
@Path("{id}")
@Produces(MediaType.APPLICATION_JSON)
public Response myMethod(@PathParam("id") Long id) {
// This method is not annotated with @Secured
// But it's declared within a class annotated with @Secured({Role.ROLE_1})
// So it only can be executed by the users who have the ROLE_1 role
...
}
@DELETE
@Path("{id}")
@Produces(MediaType.APPLICATION_JSON)
@Secured({Role.ROLE_1, Role.ROLE_2})
public Response myOtherMethod(@PathParam("id") Long id) {
// This method is annotated with @Secured({Role.ROLE_1, Role.ROLE_2})
// The method annotation overrides the class annotation
// So it only can be executed by the users who have the ROLE_1 or ROLE_2 roles
...
}
}
使用AUTHORIZATION
优先级,该优先级在AUTHENTICATION
前面定义的优先级筛选器。
大ResourceInfo
可以用来获取资源。Method
和资源Class
将处理请求,然后解压@Secured
它们的说明:
@Secured
@Provider
@Priority(Priorities.AUTHORIZATION)
public class AuthorizationFilter implements ContainerRequestFilter {
@Context
private ResourceInfo resourceInfo;
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// Get the resource class which matches with the requested URL
// Extract the roles declared by it
Class<?> resourceClass = resourceInfo.getResourceClass();
List<Role> classRoles = extractRoles(resourceClass);
// Get the resource method which matches with the requested URL
// Extract the roles declared by it
Method resourceMethod = resourceInfo.getResourceMethod();
List<Role> methodRoles = extractRoles(resourceMethod);
try {
// Check if the user is allowed to execute the method
// The method annotations override the class annotations
if (methodRoles.isEmpty()) {
checkPermissions(classRoles);
} else {
checkPermissions(methodRoles);
}
} catch (Exception e) {
requestContext.abortWith(
Response.status(Response.Status.FORBIDDEN).build());
}
}
// Extract the roles from the annotated element
private List<Role> extractRoles(AnnotatedElement annotatedElement) {
if (annotatedElement == null) {
return new ArrayList<Role>();
} else {
Secured secured = annotatedElement.getAnnotation(Secured.class);
if (secured == null) {
return new ArrayList<Role>();
} else {
Role[] allowedRoles = secured.value();
return Arrays.asList(allowedRoles);
}
}
}
private void checkPermissions(List<Role> allowedRoles) throws Exception {
// Check if the user contains one of the allowed roles
// Throw an Exception if the user has not permission to execute the method
}
}
如果用户没有执行操作的权限,则请求将使用403
(禁止)
若要了解正在执行请求的用户,请参见我先前的回答.你可以从SecurityContext
(应该已经在ContainerRequestContext
)或使用CDI注入它,这取决于您所采用的方法。
如果@Secured
注释没有声明任何角色,您可以假设所有经过身份验证的用户都可以访问该端点,而忽略了用户拥有的角色。
类中的角色。@Secured
如上面所示,您可以考虑jsr-250注释,如@RolesAllowed
,,,@PermitAll
和@DenyAll
...
Jax-RS不支持这种现成的注解,但它可以通过过滤器来实现.。如果您想支持所有这些,请记住以下几点:
@DenyAll
论方法优先于@RolesAllowed
和@PermitAll
。@RolesAllowed
论方法优先于@PermitAll
。@PermitAll
论方法优先于@RolesAllowed
。@DenyAll
不能和类联系在一起。@RolesAllowed
类优先于@PermitAll
。因此,检查JSR-250注释的授权筛选器可能类似于:
@Provider
@Priority(Priorities.AUTHORIZATION)
public class AuthorizationFilter implements ContainerRequestFilter {
@Context
private ResourceInfo resourceInfo;
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
Method method = resourceInfo.getResourceMethod();
// @DenyAll on the method takes precedence over @RolesAllowed and @PermitAll
if (method.isAnnotationPresent(DenyAll.class)) {
refuseRequest();
}
// @RolesAllowed on the method takes precedence over @PermitAll
RolesAllowed rolesAllowed = method.getAnnotation(RolesAllowed.class);
if (rolesAllowed != null) {
performAuthorization(rolesAllowed.value(), requestContext);
return;
}
// @PermitAll on the method takes precedence over @RolesAllowed on the class
if (method.isAnnotationPresent(PermitAll.class)) {
// Do nothing
return;
}
// @DenyAll can't be attached to classes
// @RolesAllowed on the class takes precedence over @PermitAll on the class
rolesAllowed =
resourceInfo.getResourceClass().getAnnotation(RolesAllowed.class);
if (rolesAllowed != null) {
performAuthorization(rolesAllowed.value(), requestContext);
}
// @PermitAll on the class
if (resourceInfo.getResourceClass().isAnnotationPresent(PermitAll.class)) {
// Do nothing
return;
}
// Authentication is required for non-annotated methods
if (!isAuthenticated(requestContext)) {
refuseRequest();
}
}
/**
* Perform authorization based on roles.
*
* @param rolesAllowed
* @param requestContext
*/
private void performAuthorization(String[] rolesAllowed,
ContainerRequestContext requestContext) {
if (rolesAllowed.length > 0 && !isAuthenticated(requestContext)) {
refuseRequest();
}
for (final String role : rolesAllowed) {
if (requestContext.getSecurityContext().isUserInRole(role)) {
return;
}
}
refuseRequest();
}
/**
* Check if the user is authenticated.
*
* @param requestContext
* @return
*/
private boolean isAuthenticated(final ContainerRequestContext requestContext) {
// Return true if the user is authenticated or false otherwise
// An implementation could be like:
// return requestContext.getSecurityContext().getUserPrincipal() != null;
}
/**
* Refuse the request.
*/
private void refuseRequest() {
throw new AccessDeniedException(
"You don't have permissions to perform this action.");
}
}
注:上面的实现是基于泽西岛的。RolesAllowedDynamicFeature
如果您使用泽西,则不需要编写自己的过滤器,只需使用现有的实现即可。
https://stackoverflow.com/questions/-100005253
复制相似问题