我必须在Spring安全性和jaxrs中使用一些自定义角色授权逻辑。意思是我想使用我的自定义注释。我在获取映射到当前请求的方法和类时遇到问题,我需要它们,因此我可以提取它们上存在的注释。我尝试注入ResourceInfo
,但这似乎始终为空。知道如何在过滤器中获取该数据吗? (请参阅getAuthentication方法)
package com.concentric.scenarios.rest.auth.jwt;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.lang.reflect.AnnotatedElement;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.UriInfo;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.header.HeaderWriterFilter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.concentric.scenarios.domain.user.AppRole;
import com.concentric.scenarios.security.Authorized;
import com.concentric.scenarios.security.SecurityConstants;
import com.concentric.scenarios.util.JWTUtil;
import lombok.extern.slf4j.Slf4j;
@Slf4j
public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
@SuppressWarnings("unused")
private AuthenticationManager authManager;
private SecurityConstants securityConstants;
public JWTAuthorizationFilter(AuthenticationManager authManager, SecurityConstants securityConstants) {
super(authManager);
this.securityConstants = securityConstants;
}
@Override
protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain)
throws IOException, ServletException {
String header = req.getHeader(securityConstants.getHeaderKey());
if (header == null || !header.startsWith(securityConstants.getTokenPrefix())) {
if(securityConstants.isMultipleProviders()) {
log.info("Missing or malformed JWT token. Continuing security authorization filtering.");
} else {
log.error("Missing or malformed JWT token. JWT is only registered security provider.");
}
chain.doFilter(req, res);
return;
}
UsernamePasswordAuthenticationToken authentication = getAuthentication(req);
SecurityContextHolder.getContext().setAuthentication(authentication);
chain.doFilter(req, res);
}
private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest request) {
String authorizationHeader = request.getHeader(securityConstants.getHeaderKey());
if (authorizationHeader != null) {
DecodedJWT jwt = JWTUtil.verifyToken(
authorizationHeader,
securityConstants.getSecret(),
securityConstants.getTokenPrefix());
String principalRoleStr = jwt.getClaim("role").asString();
Class<?> resourceClass = // somehow obtain the class mapped to this request by jax-rs
Method resourceMethod = // somehow obtain the method mapped to this request by jax-rs
// no authentication is needed
if(!isAnnotationPresent(Authorized.class, resourceClass) && !isAnnotationPresent(Authorized.class, resourceMethod)) {
return null;
}
// extract roles from class
List<AppRole> classRoles = extractRoles(resourceClass);
// extract roles from method
List<AppRole> methodRoles = extractRoles(resourceMethod);
AppRole principalRole = AppRole.valueOf(principalRoleStr);
// Check if the user is allowed to execute the method
if (methodRoles.isEmpty()) {
checkPermissions(classRoles, principalRole);
} else {
checkPermissions(methodRoles, principalRole);
}
return new UsernamePasswordAuthenticationToken(jwt.getSubject(), null, new ArrayList<>());
}
return null;
}
private void checkPermissions(List<AppRole> allowedRoles, AppRole userRole) {
boolean hasRole = false;
for(AppRole allowed : allowedRoles) {
if(userRole.hasRights(allowed)) {
hasRole = true;
break;
}
}
if(hasRole == false) {
throw new NotAuthorizedException("User is not authorized to access resource with JWT auth!");
}
}
private List<AppRole> extractRoles(AnnotatedElement annotatedElement) {
if (annotatedElement == null) {
return new ArrayList<>();
} else {
Authorized secured = annotatedElement.getAnnotation(Authorized.class);
if (secured == null) {
return new ArrayList<AppRole>();
} else {
AppRole[] allowedRoles = secured.value();
return Arrays.asList(allowedRoles);
}
}
}
private boolean isAnnotationPresent(Class<? extends Annotation> annotation, AnnotatedElement annotatedElement) {
if (annotatedElement == null) {
return false;
} else if(annotatedElement.isAnnotationPresent(annotation)) {
return true;
}
return false;
}
}
@Component
@ApplicationPath("/api")
public class ScenariosRestConfig extends ResourceConfig {
public ScenariosRestConfig() {
packages(ScenariosRestConfig.class.getPackageName());
}
}