我尝试在我的RestService中设置权限,但由于某种原因@RolesAllowed("user")目前似乎没有做任何事情。
我向上填充了我的SecurityContext并且构造函数被调用但由于某种原因isUserInRole(String role)永远不会被RolesAllowed调用。无论我是用户还是来宾,我仍然可以毫无错误地访问/ countries路径。
我的休息服务:
@Path("/countries")
public class CountryResource {
@RolesAllowed("user")
@GET
@Produces(MediaType.APPLICATION_JSON)
public String getCountries() {
System.out.println("countries?");
JsonArrayBuilder countries = Json.createArrayBuilder();
for (Country c : ServiceProvider.getCountryService().getAllCountries())
{
JsonObjectBuilder jsonCountry = buildCountry(c);
if (jsonCountry != null)
countries.add(jsonCountry);
}
return countries.build().toString();
}
}
我的SecurityContext:
public class MySecurityContext implements SecurityContext {
private String name;
private String role;
private boolean isSecure;
public MySecurityContext(String name, String role, boolean isSecure) {
System.out.println(name+role+isSecure);
this.name = name;
this.role = role;
}
public Principal getUserPrincipal() {
System.out.println("Principal");
return new Principal() {
public String getName() {
return name;
}
};
}
public boolean isUserInRole(String role) {
System.out.println("Is user in role: "+this.role);
return role.equals(this.role);
}
public boolean isSecure() {
return isSecure;
}
public String getAuthenticationScheme() {
return "Bearer";
}
}
过滤器:
@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext requestCtx) throws IOException {
System.out.println("filter?");
// Users are treated as guests, unless a valid JWT is provided
boolean isSecure = requestCtx.getSecurityContext().isSecure();
MySecurityContext msc = new MySecurityContext("Unknown", "guest", isSecure);
// Check if the HTTP Authorization header is present and formatted
// correctly
String authHeader =
requestCtx.getHeaderString(HttpHeaders.AUTHORIZATION);
System.out.println(authHeader);
if (authHeader != null && authHeader.startsWith("Bearer ")) {
// Extract the token from the HTTP Authorization header
String token = authHeader.substring("Bearer".length()).trim();
try {
// Validate the token
JwtParser parser = Jwts.parser().setSigningKey(AuthenticationResource.key);
Claims claims = parser.parseClaimsJws(token).getBody();
String user = claims.getSubject();
String role = claims.get("role").toString();
msc = new MySecurityContext(user, role, isSecure);
} catch (JwtException | IllegalArgumentException e) {
System.out.println("Invalid JWT, processing as guest!");
}
}
System.out.println(msc);
requestCtx.setSecurityContext(msc);
}
}
答案 0 :(得分:2)
您需要确保的事项:
确保使用SecurityContext注释设置@Priority(Priorities.AUTHENTICATION)的过滤器。这很重要,因为执行授权的过滤器具有优先级Priorities.AUTHORIZATION,在身份验证后发生。如果您忘记添加优先级,则默认为Priorities.USER 之后所有其他Priorities。请参阅Filters and Interceptors: Priorities。
确保您设置SecurityContext的过滤器已注册。
确保RolesAllowedDynamicFeature已注册。这是授予您授权的主要功能。它将使用Priority.AUTHORIZATION注册过滤器。在该过滤器中,它将获取您在之前调用的过滤器中设置的SecurityContext,然后获取@RolesAllowed注释并针对SecurityContext#isUserInRole
要注册RolesAllowedDynamicFeature,如果您使用的是ResourceConfig,请致电register(RolesAllowedDynamicFeature.class)。如果您使用的是web.xml,则应添加以下init-param
<init-param>
<param-name>jersey.config.server.provider.classnames</param-name>
<param-value>
org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature
</param-value>
</init-param>