是否有与服务器无关的方式来实现BASIC身份验证?

时间:2011-06-15 16:08:55

标签: java jersey websphere-6.1 http-basic-authentication tomcat

我正在尝试向我的RESTful Web服务添加BASIC身份验证。目前我对Apache Tomcat 6.0服务器进行BASIC身份验证,但我需要在WebSphere应用程序服务器上部署我的Web服务。 6.1以及我在WebSphere上运行BASIC身份验证时遇到问题。

在Java中是否有办法检查HTTP请求的身份验证标头,如果提供的用户名/密码(使用Base64编码)与已知帐户不匹配,则强制用户输入新的用户名/密码?< / p>

我已经尝试过实现Spring Security,但由于我的项目完全没有Spring,所以试图让它工作起来是一件巨大的痛苦,而我正试图找到一个简单的解决方案来处理我这个相当简单的问题。

我目前使用的技术包括:Java,Jersey / JAX-RS,带有Maven插件的Eclipse。

2 个答案:

答案 0 :(得分:9)

您应该能够设置在REST处理程序之前执行的servlet filter,检查“授权”请求标头,base 64 decodes它,提取用户名和密码,并进行验证。像这样:

public void doFilter(ServletRequest req,
                     ServletResponse res,
                     FilterChain chain) {
  if (request instanceof HttpServletRequest) {
    HttpServletRequest request = (HttpServletRequest) req;
    String authHeader = Base64.decode(request.getHeader("Authorization"));
    String creds[] = authHeader.split(":");
    String username = creds[0], password = creds[1];
    // Verify the credentials here...
    if (authorized) {
      chain.doFilter(req, res, chain);
    } else {
      // Respond 401 Authorization Required.
    }
  }
  doFilter(req, res, chain);
}

所有servlet容器都有一种配置过滤器链的标准方法。

答案 1 :(得分:4)

基于maerics答案完成实施。

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang.StringUtils;

import sun.misc.BASE64Decoder;

public class AuthenticationFilter implements Filter {

    private static final String AUTHORIZATION_HEADER_NAME = "Authorization";
    private static final String WWW_AUTHENTICATE_HEADER_NAME = "WWW-Authenticate";
    private static final String WWW_AUTHENTICATE_HEADER_VALUE = "Basic realm=\"Default realm\"";
    private static final String BASIC_AUTHENTICATION_REGEX = "Basic\\s";
    private static final String EMPTY_STRING = "";
    private static final String USERNAME_PASSWORD_SEPARATOR = ":";
    private static final BASE64Decoder DECODER = new BASE64Decoder();

    public void init(FilterConfig arg0) throws ServletException {
    }

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

        HttpServletRequest httpReq = (HttpServletRequest) req;
        HttpServletResponse httpRes = (HttpServletResponse) res;

        String authHeader = httpReq.getHeader(AUTHORIZATION_HEADER_NAME);

        if (authHeader == null) {
            this.requestAuthentication(httpRes);
            return;
        }

        authHeader = authHeader.replaceFirst(BASIC_AUTHENTICATION_REGEX, EMPTY_STRING);
        authHeader = new String(DECODER.decodeBuffer(authHeader));      

        if (StringUtils.countMatches(authHeader, USERNAME_PASSWORD_SEPARATOR) != 1) {
            this.requestAuthentication(httpRes);
            return;         
        }

        String[] creds = authHeader.split(USERNAME_PASSWORD_SEPARATOR);
        String username = creds[0];
        String password = creds[1];         

        //TODO: implement this method
        if (!authenticatedUser(username, password)) {
            this.requestAuthentication(httpRes);
            return;
        }

         chain.doFilter(req, res);
    }

    private void requestAuthentication(HttpServletResponse httpRes) {

        httpRes.setHeader(WWW_AUTHENTICATE_HEADER_NAME, WWW_AUTHENTICATE_HEADER_VALUE);
        httpRes.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    }

    public void destroy() {
    }
}
相关问题
最新问题