我有一个Web方法,该方法在查询字符串中有一个标记,每种方法都使用此标记来标识发出请求的用户。
为此,我创建了一个名称为AuthenticationFilter的ResourceFilter,它从请求中获取令牌并从数据库中检索用户信息,如果用户有效,则该方法将被执行,否则将引发UNAUTHORIZED异常。
我的问题是:如何访问在AuthenticationFilter类中检索到的用户信息
我的网络api:
@GET
@Consumes(MediaType.TEXT_PLAIN)
@Produces({MediaType.APPLICATION_JSON})
@Path("/getUserOrders")
@ResourceFilters({AuthenticationFilter.class, AllowOroginFilter.class})
public String getUserOrders(@Context UriInfo uriInfo) {
//I need to access Usr object that retrived in AuthenticationFilter
/*User Usr = AuthenticationFilter.Usr;*/
String Result = getUserOrders(Usr);
return Result;
}
ResourceFilter代码:
public class AuthenticationFilter implements ResourceFilter, ContainerRequestFilter, ContainerResponseFilter {
public User usr = null;
@Override
public ContainerRequest filter(ContainerRequest containerRequest) {
usr = AuthenticationUtiity.AuthenticateRequest(containerRequest);
if(usr == null){
Response.ResponseBuilder builder = null;
String response = "{\"Success\":false, \"Message\":\"Invalid username or password\"}";
builder = Response.status(Response.Status.UNAUTHORIZED).entity(response);
throw new WebApplicationException(builder.build());
}
return containerRequest;
}
}
我对此进行了搜索,发现了一种可能使用ThreadLocal并将用户保存到ThreadLocal并将其保存到该线程中任意位置的方法。
https://veerasundar.com/blog/2010/11/java-thread-local-how-to-use-and-code-sample/
有没有更简单的方法可以做到这一点?谢谢
答案 0 :(得分:1)
您可以在ContainerRequest上设置SecurityContext。然后,在您的资源方法中,可以使用@Context SecurityContext注入它。对于SecurityContext实现,您可以实现Principal并根据需要对其进行详细说明。当您在资源方法中获得Principal时,只需将其转换为您的类型即可。下面是一个示例过滤器:
@Provider
public class TestFilter implements ContainerRequestFilter {
@Override
public ContainerRequest filter(ContainerRequest request) {
SecurityContext oldSec = request.getSecurityContext();
final String username = "foobar";
final String email = "email@email.com";
final User user = new User(username, email);
request.setSecurityContext(new MySecurityContext(user, oldSec.isSecure()));
return request;
}
private static class MySecurityContext implements SecurityContext {
private final boolean isSecure;
private final User user;
public MySecurityContext(User user, boolean isSecure) {
this.isSecure = isSecure;
this.user = user;
}
@Override
public Principal getUserPrincipal() {
return this.user;
}
@Override
public boolean isUserInRole(String s) {
return false;
}
@Override
public boolean isSecure() {
return this.isSecure;
}
@Override
public String getAuthenticationScheme() {
return null;
}
}
public static class User implements Principal {
private final String email;
private final String username;
public User(String username, String email) {
this.username = username;
this.email = email;
}
@Override
public String getName() {
return null;
}
public String getEmail() {
return this.email;
}
}
}
然后使用资源方法
@Path("test")
public class TestResource {
@GET
public String get(@Context SecurityContext sc) {
TestFilter.User user = (TestFilter.User) sc.getUserPrincipal();
return user.getEmail();
}
}
感谢您的回答,但我不想在我的网络方法中添加额外的参数
然后将其作为字段注入
@Path("test")
public class TestResource {
@Context
private SecurityContext sc;
@GET
public String get() {
TestFilter.User user = (TestFilter.User) sc.getUserPrincipal();
return user.getEmail();
}
}