Java服务忽略@RolesAllowed
我试图在我的RestService中设置权限,但出于某种原因,Java服务忽略@RolesAllowed,java,security,authentication,jersey,Java,Security,Authentication,Jersey,我试图在我的RestService中设置权限,但出于某种原因,@RolesAllowed(“用户”)目前似乎什么都不做 我正确填写了SecurityContext,构造函数被调用,但由于某种原因,isUserInRole(字符串角色)从未被RoleAllowed调用。无论我是用户还是来宾,我仍然可以访问/countries路径而不会出现任何错误 我的休息服务: @Path("/countries") public class CountryResource { @RolesAllowe
@RolesAllowed(“用户”)
目前似乎什么都不做
我正确填写了SecurityContext,构造函数被调用,但由于某种原因,isUserInRole(字符串角色)
从未被RoleAllowed
调用。无论我是用户还是来宾,我仍然可以访问/countries路径而不会出现任何错误
我的休息服务:
@Path("/countries")
public class CountryResource {
@RolesAllowed("user")
@GET
@Produces(MediaType.APPLICATION_JSON)
public String getCountries() {
System.out.println("countries?");
JsonArrayBuilder countries = Json.createArrayBuilder();
for (Country c : ServiceProvider.getCountryService().getAllCountries())
{
JsonObjectBuilder jsonCountry = buildCountry(c);
if (jsonCountry != null)
countries.add(jsonCountry);
}
return countries.build().toString();
}
}
我的SecurityContext:
public class MySecurityContext implements SecurityContext {
private String name;
private String role;
private boolean isSecure;
public MySecurityContext(String name, String role, boolean isSecure) {
System.out.println(name+role+isSecure);
this.name = name;
this.role = role;
}
public Principal getUserPrincipal() {
System.out.println("Principal");
return new Principal() {
public String getName() {
return name;
}
};
}
public boolean isUserInRole(String role) {
System.out.println("Is user in role: "+this.role);
return role.equals(this.role);
}
public boolean isSecure() {
return isSecure;
}
public String getAuthenticationScheme() {
return "Bearer";
}
}
过滤器:
@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext requestCtx) throws IOException {
System.out.println("filter?");
// Users are treated as guests, unless a valid JWT is provided
boolean isSecure = requestCtx.getSecurityContext().isSecure();
MySecurityContext msc = new MySecurityContext("Unknown", "guest", isSecure);
// Check if the HTTP Authorization header is present and formatted
// correctly
String authHeader =
requestCtx.getHeaderString(HttpHeaders.AUTHORIZATION);
System.out.println(authHeader);
if (authHeader != null && authHeader.startsWith("Bearer ")) {
// Extract the token from the HTTP Authorization header
String token = authHeader.substring("Bearer".length()).trim();
try {
// Validate the token
JwtParser parser = Jwts.parser().setSigningKey(AuthenticationResource.key);
Claims claims = parser.parseClaimsJws(token).getBody();
String user = claims.getSubject();
String role = claims.get("role").toString();
msc = new MySecurityContext(user, role, isSecure);
} catch (JwtException | IllegalArgumentException e) {
System.out.println("Invalid JWT, processing as guest!");
}
}
System.out.println(msc);
requestCtx.setSecurityContext(msc);
}
}
您需要确保的事项:
SecurityContext
的过滤器带有@Priority(Priorities.AUTHENTICATION)
注释。这一点很重要,因为进行授权的筛选器具有优先级Priorities.authorization
,这发生在身份验证之后。如果忘记添加优先级,则默认为Priorities.USER
,它位于所有其他优先级之后。看
SecurityContext
的过滤器已注册rolesAllowedDynamic功能
。这是授予您授权的主要功能。它将注册具有优先级的筛选器。授权
。在该过滤器中,它将获取您在先前调用的过滤器中设置的SecurityContext
,然后抓取@RolesAllowed
注释,并对照SecurityContext#isUserInRole
RolesAllowedDynamicFeature
,如果您正在使用ResourceConfig
,只需调用register(RolesAllowedDynamicFeature.class)
。如果您使用的是web.xml,那么应该添加以下init参数
<init-param>
<param-name>jersey.config.server.provider.classnames</param-name>
<param-value>
org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature
</param-value>
</init-param>
jersey.config.server.provider.classnames
org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature
谢谢你的回答!如何准确注册我的SecurityContext
和RolesAllowedDynamicFeature
?例如,我不知道在哪里添加resourceconfig。我还添加了我的过滤器,以防出现问题。正如你所说,allready的优先级已经设置好了。我使用的是web.xml。我应该将这个init参数添加到我的servlet还是添加到一个新的servlet?我在eclipse中粘贴时出错。相同的Jersey servlet。就在您可能拥有的任何其他init参数的旁边(后面)