WebSphere Liberty JSR-250实现(RolesAllowed)

时间:2016-01-08 21:03:29

标签: java jax-rs websphere-liberty

为了使用JSR-250的安全注释(RolesAllowed,PermitAll,DenyAll):

  • 在Jersey中,您将注册RolesAllowedDynamicFeature类。

  • 在RESTeasy中,您将使用web.xml配置:

    <h2>Horizontal List</h2>
<button type="button">Click Me!</button>
<ul id="menu">
    <li><a href="/html/default.asp">HTML</a></li>
    <li><a href="/css/default.asp">CSS</a></li>
    <li><a href="/js/default.asp">JavaScript</a></li>
    <li><a href="/php/default.asp">PHP</a></li>
    <li><a href="/html/default.asp">HTML</a></li>
    <li><a href="/css/default.asp">CSS</a></li>
    <li><a href="/js/default.asp">JavaScript</a></li>
    <li><a href="/php/default.asp">PHP</a></li>
    <li><a href="/html/default.asp">HTML</a></li>
    <li><a href="/css/default.asp">CSS</a></li>
    <li><a href="/js/default.asp">JavaScript</a></li>
    <li><a href="/php/default.asp">PHP</a></li>
    <li><a href="/html/default.asp">HTML</a></li>
    <li><a href="/css/default.asp">CSS</a></li>
    <li><a href="/js/default.asp">JavaScript</a></li>
    <li><a href="/php/default.asp">PHP</a></li>
    <li><a href="/html/default.asp">HTML</a></li>
    <li><a href="/css/default.asp">CSS</a></li>
    <li><a href="/js/default.asp">JavaScript</a></li>
    <li><a href="/php/default.asp">PHP</a></li>
</ul>  
<button type="button">Click Me!</button>

这两个都依赖于<context-param> <param-name>resteasy.role.based.security</param-name> <param-value>true</param-value> </context-param> 的实现,但似乎WebSphere Liberty Profile没有。

我们如何在WebSphere Liberty Profile(WLP)中使用它?

我使用了一个最小的例子:

  1. 使用@RolesAllowed:

    创建资源类/方法 
    SecurityContext.isUserInRole()
  2. 在过滤器中设置SecurityContextImpl,重写isUserInRole()以始终返回true;
  3. 为JAX-RS实现启用“基于角色的安全性”。 (如上所述,Jersey或RESTeasy等。对于WLP,我必须添加appSecurity-2.0功能)
  4. 你应该有一个有效的例子。

    5. 但是,即使isUserInRole返回true,WebSphere Liberty Profile似乎也会返回403 Forbidden。

    有谁知道如何在Liberty中正确使用@RolesAllowed注释以及我可能缺少什么?

    代码

    @Path("/rest")
public class HelloWorld {
    @GET
    @RolesAllowed("ANYTHING")
    public Response hello() {
        return Response.ok("Hello World").build();
    }
}

    pom.xml(仅限依赖项)

    @ApplicationPath("/")
public class MyApplication extends Application {
    public MyApplication() {}
}

@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthFilter implements ContainerRequestFilter {
    @Override
    public void filter(ContainerRequestContext ctx) throws IOException {
        System.out.println("Setting SecurityContext..");
        ctx.setSecurityContext(new MySecurityContext("someuser", "anyrole"));
    }
}

public class MySecurityContext implements SecurityContext {

    private String user;
    private String role;

    public static class MyPrincipal implements Principal {
        private String name;

        public MyPrincipal(String name) { this.name = name; }
        @Override public String getName() { return name; }
    }

    public MySecurityContext(String user, String role) {
        this.user = user;
        this.role = role;
    }

    @Override public String getAuthenticationScheme() { return "BASIC"; }
    @Override public Principal getUserPrincipal() { return new MyPrincipal(user); }
    @Override public boolean isSecure() { return true; }

    @Override
    public boolean isUserInRole(String role) {
        return true;
    }
}

@Path("/test")
public class HelloWorld {
    @GET
    @RolesAllowed("doesntmatter")
    public Response hello() {
        return Response.ok("Hello World").build();
    }
}

    的server.xml

    代码适用于禁用的appSecurity功能。无法启用它。

    <dependencies>
    <dependency>
        <groupId>javax.ws.rs</groupId>
        <artifactId>javax.ws.rs-api</artifactId>
        <version>2.0.1</version>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>javax.annotation</groupId>
        <artifactId>javax.annotation-api</artifactId>
        <version>1.2</version>
        <scope>provided</scope>
    </dependency>
</dependencies>

1 个答案:

答案 0 :(得分:0)

可能你可以试试这个:

1 server.xml 

<server description="test">
    <featureManager>
        <feature>jaxrs-2.0</feature>
        <feature>appSecurity-2.0</feature>
    </featureManager>

    <webApplication id="RoleTest" location="RoleTest.war" name="RoleTest">
        <application-bnd>
            <security-role name="ANYTHING">
                <user name="username" />
            </security-role>
            <security-role name="AuthenticationRole">
                <user name="username" />
            </security-role>
            <security-role name="AllAuthenticated">
                <special-subject type="ALL_AUTHENTICATED_USERS" />
            </security-role>
        </application-bnd>
    </webApplication>

    <httpEndpoint httpPort="9081" httpsPort="9444" id="defaultHttpEndpoint" />

    <basicRegistry id="basic" realm="BasicRegistry">
        <user name="username" password="password" />
    </basicRegistry>
</server>

2 Java代码 使用@RolesAllowed:

创建MyApplication类和资源类/方法 
@ApplicationPath("/")
public class MyApplication extends Application {
    public MyApplication() {}
    public Set<Class<?>> getClasses(){
      Set<Class<?>> classes = new HashSet();
      classes.add(HelloWorld.class);

      return classes;
   }
}


@Path("/rest")
public class HelloWorld {
    @GET
    @RolesAllowed("ANYTHING")
    public Response hello() {
        return Response.ok("Hello World").build();
    }
}

3 web.xml 

<web-app xmlns="http://java.sun.com/xml/ns/javaee" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee web-app_3_0.xsd"
    version="3.0">

  <display-name>Test Application</display-name>
  <description>blablabla</description>

    <servlet>
        <servlet-name>MyApplication</servlet-name>
        <servlet-class>com.ibm.websphere.jaxrs.server.IBMRestServlet</servlet-class>
        <init-param>
            <param-name>requestProcessorAttribute</param-name>
            <param-value>requestProcessorAttribute_webcontainer</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>com.xxx.MyApplication</servlet-name>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>SecurityContextApp</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>com.xxx.MyApplication</servlet-name>
        <url-pattern>/xxx/*</url-pattern>
    </servlet-mapping>


    <security-constraint id="SecurityConstraint_2">
        <web-resource-collection id="WebResourceCollection_2">
            <web-resource-name>com.xxx.MyApplication
            </web-resource-name>
            <description>Protection area for Rest Servlet</description>
            <url-pattern>/xxx/rest</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <user-data-constraint id="UserDataConstraint_2">
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
        <auth-constraint id="AuthConstraint_2">
            <role-name>AuthenticationRole</role-name>
        </auth-constraint>
    </security-constraint>    


    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>test</realm-name>
    </login-config>
    <security-role id="SecurityRole_1">
        <description>blabla</description>
        <role-name>ANYTHING</role-name>
    </security-role>

    <security-role id="SecurityRole_2">
        <role-name>AuthenticationRole</role-name>
    </security-role>

</web-app>

任何其他问题,给我留言。

相关问题
最新问题