保护我的REST-Api

时间:2013-02-12 12:02:27

标签: java authentication tomcat jersey jax-rs

我用Java编写了一个RESTful API,我希望用HTTP-Auth来保护它。我知道这不是很安全,但在我集成SSL并希望HTTP-Auth工作之前。我正在使用Tomcat,Jersey和Jax-WS。这个我插入到我的web.xml(在Servlet配置下):

[...]    
</servlet-mapping>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Orders</web-resource-name>
        <url-pattern>/orders</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <!-- <realm-name>default</realm-name> -->
</login-config>
<security-role>
    <role-name>admin</role-name>
    <role-name>converter-api</role-name>
</security-role>

这是在Java代码中:

@GET @Produces("text/xml") @Path("/{partNO}/") @Consumes("text/xml")
public PartNoTemplate getPartNoResponse(@PathParam("partNO") String parID,
      @Context SecurityContext parSecurityContext) throws WebApplicationException, UnsupportedEncodingException {
// Check Authorisation
checkAuthentication(parSecurityContext);
[...]
}

方法:

  private void checkAuthentication(SecurityContext parSecurityContext) throws WebApplicationException {
    Boolean isAuth = false;

    for(String role: allowedRoles) {
      if(parSecurityContext.isUserInRole(role)) {
        isAuth = true;
      }
    }

    if(!isAuth) {
      throw new WebApplicationException(Response.Status.FORBIDDEN);
    }
  }

但是当我访问/ TNR / 1234时,我只得到403错误并且没有登录字段。我在tomcat配置文件tomcat_users.xml中配置了用户(在/web/WEB_INF/tomcat_users.xml中的T​​omcat安装文件夹和IDE中:

<user username="maxi" password="1234" roles="admin, manager-gui, converter-api" />

我做错了什么?如果这很重要,我正在使用Tomcat 6!

0 个答案:

没有答案