JBOSS AS7 jax-rs jaas和注释

时间:2013-06-19 22:22:19

标签: java jboss jax-rs jaas

嘿,我希望有人可以帮助尝试最近两天来弄清楚我做错了什么。 我想要一个程序化的登录到JAX-RS api并在我的端点上使用@RolesAlowed注释。

我登录正常并且可以看到登录端点中的主体集也获得了JSESSIONID。但是当我调用带有@RolesAllowed(“USER”)注释的/ info / ping端点时,它会抛出UnauthenticatedException。如果删除注释,则req.getUserPrincipal()通过cookie设置为null事件。

任何帮助都将不胜感激。

我正在使用jboss作为7

设置如下:

Standalone.xml

<security-domain name="api" cache-type="default">
    <authentication>
        <login-module code="Database" flag="required">
            <module-option name="dsJndiName" value="java:jboss/datasources/MysqlDS"/>
            <module-option name="principalsQuery" value="select password from SiteUser where email=?"/>
            <module-option name="rolesQuery" value="select role, 'Roles' from user_roles where email=?"/>
            <module-option name="hashAlgorithm" value="MD5"/>
            <module-option name="hashEncoding" value="base64"/>
            <module-option name="unauthenticatedIdentity" value="GUEST"/>
        </login-module>
    </authentication>
</security-domain>

Web.xml中

<context-param>
    <param-name>resteasy.role.based.security</param-name>
    <param-value>true</param-value>
</context-param>
<filter>
    <filter-name>Resteasy</filter-name>
    <filter-class>
        org.jboss.resteasy.plugins.server.servlet.FilterDispatcher
    </filter-class>
    <init-param>
        <param-name>javax.ws.rs.Application</param-name>
        <param-value>com.surecoin.api.rest.RootApplication</param-value>
    </init-param>
    <init-param>
        <param-name>resteasy.scan</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>admin_resources</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<!-- Login Prompt -->
<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login/login.xhtml</form-login-page>
        <form-error-page>/error.xhtml</form-error-page>
    </form-login-config>    
</login-config>
<security-role>
    <description>Users</description>
    <role-name>USER</role-name>
</security-role>
<security-role>
    <role-name>guest</role-name>
</security-role>
<security-role>
    <description>Admin</description>
    <role-name>ADMIN</role-name>
</security-role>
<security-role>
    <role-name>GUEST</role-name>
</security-role>

的JBoss-web.xml中

<jboss-web>
    <security-domain>api</security-domain>
</jboss-web>

登录代码:

@POST
@Path("login")
@Produces(MediaType.APPLICATION_JSON)
public Response login(@FormParam("email") String email, @FormParam("password") String password,
        @Context HttpServletRequest req) {
    String username = email; 
    //only login if not already logged in...
    if(req.getUserPrincipal() == null) {
        try {
            req.login(username, password);
            System.out.println(req.getUserPrincipal().toString());
        }
        catch(ServletException e){
            e.printStackTrace();
            return Response.status(Response.Status.UNAUTHORIZED).build();
        }

    } else {
        System.out.println(req.getUserPrincipal().toString());
        req.getServletContext().log("Skip logged because already logged in: "+ username);
    }

    req.getServletContext().log("Authentication Demo: successfully retrieved User Profile from DB for " + username);
    return Response.ok().build();
}


Finally the security check:
@Path("/info/ping")
@Produces(MediaType.APPLICATION_JSON)
@RolesAllowed("USER")
@GET
public String ping(@Context HttpServletRequest req){
    System.out.println(req.getUserPrincipal());
    System.out.println(req.isUserInRole("USER"));
    return "{\"status\":\"ok\"}";
}

1 个答案:

答案 0 :(得分:0)

Servlet 3.0中的Principal是会话作用域。确保第二个请求已映射/使用相同的会话(使用JSESSIONID)。