Java JAX-RS安全性-主体未持久化
首先是守则: 应用程序设置类:Java JAX-RS安全性-主体未持久化,java,jakarta-ee,jax-rs,wildfly,resteasy,Java,Jakarta Ee,Jax Rs,Wildfly,Resteasy,首先是守则: 应用程序设置类: @ApplicationPath("/rest") public class ApplicationConfig extends Application { } JAX-RS资源类: @Path("/test") @RequestScoped public class TestWS { @POST @Path("/login") @Produces(MediaTyp
@ApplicationPath("/rest")
public class ApplicationConfig extends Application {
}
@Path("/test")
@RequestScoped
public class TestWS {
@POST
@Path("/login")
@Produces(MediaType.TEXT_PLAIN)
public Response login(@Context HttpServletRequest req){
req.getSession().setAttribute("test","test");
System.out.println(req.getSession().getId());
if(req.getUserPrincipal() == null){
String authHeader = req.getHeader(HttpHeaders.AUTHORIZATION);
if(authHeader != null && !authHeader.isEmpty()){
String base64Credentials = authHeader.substring("Basic".length()).trim();
String credentials = new String(Base64.getDecoder().decode(base64Credentials),
Charset.forName("UTF-8"));
final String[] values = credentials.split(":",2);
try {
req.login(values[0], values[1]);
System.out.println(req.getUserPrincipal().toString());
}
catch(ServletException e){
e.printStackTrace();
return Response.status(Response.Status.UNAUTHORIZED).build();
}
}
}else{
System.out.println(req.getUserPrincipal());
System.out.println(req.isUserInRole("User"));
req.getServletContext().log("Skipped logged because already logged in!");
}
req.getServletContext().log("Authentication Demo: successfully retrieved User Profile!");
return Response.ok().build();
}
@Path("/ping")
@Produces(MediaType.APPLICATION_JSON)
@GET
public String ping(@Context HttpServletRequest req){
Object test = req.getSession().getAttribute("test");
System.out.println(req.getSession().getId());
System.out.println(test);
System.out.println(req.getUserPrincipal());
System.out.println(req.isUserInRole("User"));
return "{\"status\":\"ok\"}";
}
}
<?xml version="1.0" encoding="UTF-8" ?>
<web-app>
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<security-constraint>
<web-resource-collection>
<web-resource-name>rest</web-resource-name>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>PBKDF2DatabaseDomain</realm-name>
</login-config>
</web-app>
resteasy.role.based.security
真的
休息
/休息/*
得到
邮递
放
删除
没有一个
index.html
30
但是登录方法中的修复设置会话属性对我不起作用。一些提示和备注:
- 由于REST是无状态的,我将在客户端管理会话,而不是在服务器端持久化客户端状态
- 无状态身份验证可以通过返回每个请求/服务的基本身份验证头来实现,这些请求/服务只限于经过身份验证的用户,例如/login和/ping
- /当用户未得到很好的身份验证和识别时,登录服务可能会抛出WebApplicationException,以便您的客户端应用程序管理它并向最终用户显示身份验证错误消息。
然后,您可以使用@RolesAllowed('something')注释和/ping方法上方的JAAS来限制具有“something”角色的经过身份验证的用户的访问。因此,您将不再需要编写身份验证或授权代码,并从应用程序中的授权层中获益
所有这些都可以通过JavaEE7在Wildfly上实现,无需额外的库。Basic auth。是无状态的 <?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<context-root>/</context-root>
<security-domain>PBKDF2DatabaseDomain</security-domain>
</jboss-web>
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="PBKDF2DatabaseDomain" cache-type="default">
<authentication>
<login-module code="de.rtner.security.auth.spi.SaltedDatabaseServerLoginModule" flag="required" module="de.rtner.PBKDF2">
<module-option name="dsJndiName" value="java:jboss/datasources/developmentDS"/>
<module-option name="principalsQuery" value="SELECT password FROM ur.user WHERE username=?"/>
<module-option name="rolesQuery" value="select distinct r.NAME, 'Roles' from ur.user_roles ur left join ur.ct_role r on ur.ROLE_ID = r.ID left join ur.user u on ur.USER_ID = u.ID where u.username =?"/>
</login-module>
</authentication>
</security-domain>
...