在新的dropwizard版本中,您可以创建一个带有授权者和身份验证者的基本身份验证过滤器。然后,每个资源都可以使用@RolesAllowed标记进行注释。
在0.8.4中,您无法以相同的方式创建授权程序 - 但RolesAllowed标记仍然存在。如何使用rolesAllowed标记获得与更高版本中相同的行为?
答案 0 :(得分:0)
在Dropwizard 0.8.x中,由于完成身份验证的方式,无法使用@RolesAllowed;它与泽西使用SecurityContext的方式没有关系。当Dropwizard开始使用SecurityContext时,从0.9.0开始,这是Jersey用来使@RolesAllowed注释工作的。
幸运的是,你可以将dropwizard-auth依赖关系升级到0.9.0,它仍然适用于Dropwizard 0.8.4。我实际上只是测试了它,它工作正常。您只需要从中排除dropwizard-core。
<dependencies>
<dependency>
<groupId>io.dropwizard</groupId>
<artifactId>dropwizard-core</artifactId>
<version>0.8.4</version>
</dependency>
<dependency>
<groupId>io.dropwizard</groupId>
<artifactId>dropwizard-auth</artifactId>
<version>0.9.0</version>
<exclusions>
<exclusion>
<groupId>io.dropwizard</groupId>
<artifactId>dropwizard-core</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
完成此操作后,它应该全部工作。我将发布用于测试它的所有类。
ExamplePrincipal public class ExamplePrincipal implements Principal {
private String name;
private List<String> roles;
public ExamplePrincipal(String name, List<String> roles) {
this.name = name;
this.roles = roles;
}
public String getName() {
return this.name;
}
public List<String> getRoles() {
return this.roles;
}
}
ExampleAuthenticator public class ExampleAuthenticator implements Authenticator<BasicCredentials, ExamplePrincipal> {
@Override
public Optional<ExamplePrincipal> authenticate(BasicCredentials credentials) throws AuthenticationException {
if ("peeskillet".equals(credentials.getUsername())
&& "secret".equals(credentials.getPassword())) {
return Optional.of(new ExamplePrincipal(credentials.getUsername(), Arrays.asList("ADMIN")));
}
return Optional.absent();
}
}
ExampleAuthorizer public class ExampleAuthorizer implements Authorizer<ExamplePrincipal> {
@Override
public boolean authorize(ExamplePrincipal principal, String role) {
return principal.getRoles().contains(role);
}
}
ExampleResource @Path("example")
public class ExampleResource {
private String name;
public ExampleResource(String name) {
this.name = name;
}
@GET
@RolesAllowed("ADMIN")
public String get() {
return "Hello " + name + "!";
}
@GET
@Path("root")
@RolesAllowed("ROOT")
public String getRoot() {
return "Root Access";
}
}
ExampleConfiguration public class ExampleConfiguration extends Configuration {
private String name;
@JsonProperty
public String getName() {
return this.name;
}
@JsonProperty
public void setName(String name) {
this.name = name;
}
}
ExampleApplication public class ExampleApplication extends Application<ExampleConfiguration> {
public static void main(String...args) throws Exception {
new ExampleApplication().run(args);
}
public void run(ExampleConfiguration config, Environment env) throws Exception {
env.jersey().property(ServerProperties.RESPONSE_SET_STATUS_OVER_SEND_ERROR, true);
env.jersey().register(new ExampleResource(config.getName()));
env.jersey().register(RolesAllowedDynamicFeature.class);
env.jersey().register(new AuthDynamicFeature(
new BasicCredentialAuthFilter.Builder<ExamplePrincipal>()
.setAuthenticator(new ExampleAuthenticator())
.setAuthorizer(new ExampleAuthorizer())
.setRealm("ExampleRealm")
.buildAuthFilter()
));
env.jersey().register(new AuthValueFactoryProvider.Binder<ExamplePrincipal>(ExamplePrincipal.class));
}
}
example.yml name: "Peeskillet"
要测试应用程序,您只需运行以下cURL命令
即可curl -i -u peeskillet:secret http://locahost:8080/example
如果您转到需要example/root用户的ROOT端点,您将看到403 Forbidden response
url -i -u peeskillet:secret http://locahost:8080/example/root