我有一个使用Jersey的演示JAX-RS项目。现在我正在尝试添加Spring Security的方法级别安全性,但遗憾的是它虽然Rename 1 to tmp file
Rename 4 to 1
Rename 3 to 4
Rename 2 to 3
Rename tmp file to 2
Rename 6 to 7
Rename 5 to 6
Rename 10 to 11
xml方式正常工作但却无法正常工作。
intercept-url 将pom.xml更新为
web.xml更新<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/security.xml,
/WEB-INF/beans.xml
</param-value>
</context-param>
<!-- this is default security impl name used by deletetingFiterProxy -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
/WEB-INF/security.xml注释服务接口方法
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- kind of authentication applied 1) Basic 2) form-based etc.. auto-config="true" use-expressions="true"-->
<http auto-config="true">
<http-basic />
</http>
<!-- this allow to enable security annotations in restful resoruces -->
<global-method-security secured-annotations="enabled" />
<!-- for defining users and roles -->
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_CUSTOMER,ROLE_ADMIN"/>
<user name="student" password="student" authorities="ROLE_CUSTOMER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
现在,当我尝试访问资源学生(public interface StudentServiceInterface {
@GET
@Path("/students")
@Secured("ROLE_CUSTOMER")
public Response getStudents();
@GET
@Path("/students/{id}")
@Secured("ROLE_CUSTOMER")
public Response getStudent(@PathParam("id") int id);
@POST
@Path("/students")
@Consumes(MediaType.APPLICATION_JSON)
@Secured("ROLE_ADMIN")
public Response addStudent(Student stu);
}
)课程时,它会打开而不会询问密码。
/studentStudentServiceInterface接口实现
http://localhost:3126/securitydemo/webapi/db/students
答案 0 :(得分:1)
您必须使用Spring DI的扩展,请参阅Jersey 2.25.1 User Guide:
Jersey提供了支持Spring DI的扩展。这使Jersey能够将Spring bean用作JAX-RS组件(例如资源和提供程序),并允许Spring注入Jersey托管组件。
Spring扩展模块配置基于注释。注入Spring bean并使用注释对JAX-RS类进行Spring管理。注入的Spring bean可以使用Spring XML配置注入更多依赖项。支持Spring单例和请求范围。
要使JAX-RS资源能够运行需要代理的Spring功能,例如Spring事务管理(使用@Transactional),Spring Security和面向方面编程(例如@Aspect),资源本身必须由Spring管理,通过@Component,@ Service,@ Controller或@Repository注释:
import javax.ws.rs.GET; import javax.ws.rs.Path; import org.springframework.stereotype.Component; @Component @Path("/") public class SomeResource { @Transactional @GET public void updateResource() { // ... } }限制:
使用Spring XML配置
不能将Spring bean直接注入JAX-RS类<强> 25.1。依赖
如果您想使用Jersey Spring DI支持,您需要将jersey-spring3模块添加到依赖项列表中:
<dependency> <groupId>org.glassfish.jersey.ext</groupId> <artifactId>jersey-spring3</artifactId> <version>2.25.1</version> </dependency>上面的模块在Spring模块上添加了传递依赖。有关依赖项列表和范围的更多详细信息,请参阅jersey-spring3模块依赖项。请注意,该模块依赖于Spring / HK2 Bridge,用于将Spring服务注入HK2服务或向Spring服务注入HK2服务。