使用Dropwizard 0.9.1我创建了一个自定义AuthFilter来检查会话cookie,如下所示:
Priority(Priorities.AUTHENTICATION)
public class SessionAuthFilter extends AuthFilter<String /*session key*/, SessionUser /*principal*/> {
private SessionAuthFilter() {
}
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
Cookie sessionKey = requestContext.getCookies().get("sessionKey");
if (sessionKey != null) {
try {
Optional<SessionUser> principal = new SessionAuthenticator().authenticate(sessionKey.getValue());
requestContext.setSecurityContext(new SecurityContext() {
@Override
public Principal getUserPrincipal() {
return principal.get();
}
@Override
public boolean isUserInRole(String role) {
return false;
}
@Override
public boolean isSecure() {
return requestContext.getSecurityContext().isSecure();
}
@Override
public String getAuthenticationScheme() {
return SecurityContext.FORM_AUTH;
}
});
return;
} catch (AuthenticationException e) {
throw new InternalServerErrorException(e.getMessage(), e);
}
}
throw new NotAuthorizedException("Please log in!", "realm="+realm);
}
并注册如下:
environment.jersey().register(new AuthDynamicFeature(new SessionAuthFilter.Builder().setAuthenticator(new
SessionAuthenticator()).setRealm("Login").buildAuthFilter()));
environment.jersey().register(RolesAllowedDynamicFeature.class);
问题是我不能在资源类的类级别上使用@Permitall注释。它工作正常如果我使用on方法,但不在类上过滤。
资源类:
@Path("/")
@PermitAll //Doesn't work here
@Produces(MediaType.APPLICATION_JSON)
public class HomeResource {
@GET
@PermitAll //Works fine if here
@Path("/about")
public Response get() {
}
}
任何人都知道吗?
答案 0 :(得分:1)
DW 9.x中不支持类级别的Authz注释。您可以在AuthDynamicFeature的源代码中看到,只检查方法级别注释,最终只将auth过滤器注册到带有Authz注释的方法。
此限制已在this pull request (to 1.0.0)中修复,其中将支持班级@RolesAllowed和@PermitAll。