Fatal编程技术网
  • java/
  • Java服务忽略@RolesAllowed

Java服务忽略@RolesAllowed

java security authentication jersey

Java服务忽略@RolesAllowed,java,security,authentication,jersey,Java,Security,Authentication,Jersey,我试图在我的RestService中设置权限,但出于某种原因,@RolesAllowed(“用户”)目前似乎什么都不做 我正确填写了SecurityContext,构造函数被调用,但由于某种原因,isUserInRole(字符串角色)从未被RoleAllowed调用。无论我是用户还是来宾,我仍然可以访问/countries路径而不会出现任何错误 我的休息服务: @Path("/countries") public class CountryResource { @RolesAllowe

我试图在我的RestService中设置权限,但出于某种原因,
@RolesAllowed(“用户”)
目前似乎什么都不做

我正确填写了SecurityContext,构造函数被调用,但由于某种原因,
isUserInRole(字符串角色)
从未被
RoleAllowed
调用。无论我是用户还是来宾,我仍然可以访问/countries路径而不会出现任何错误

我的休息服务:

@Path("/countries")
public class CountryResource {

    @RolesAllowed("user")
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    public String getCountries() {
        System.out.println("countries?");
        JsonArrayBuilder countries = Json.createArrayBuilder();

        for (Country c : ServiceProvider.getCountryService().getAllCountries()) 
        {
            JsonObjectBuilder jsonCountry = buildCountry(c);

            if (jsonCountry != null)
                countries.add(jsonCountry);
        }

        return countries.build().toString();
    }
}
我的SecurityContext:

public class MySecurityContext implements SecurityContext {
    private String name;
    private String role;
    private boolean isSecure;

    public MySecurityContext(String name, String role, boolean isSecure) {
        System.out.println(name+role+isSecure);
        this.name = name;
        this.role = role;
    }

    public Principal getUserPrincipal() {
        System.out.println("Principal");
        return new Principal() {
            public String getName() {
                return name;
            }
        };
    }

    public boolean isUserInRole(String role) {
        System.out.println("Is user in role: "+this.role);
        return role.equals(this.role);
    }

    public boolean isSecure() {
        return isSecure;
    }

    public String getAuthenticationScheme() {
        return "Bearer";
    }
}
过滤器:

@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter {
    @Override
    public void filter(ContainerRequestContext requestCtx) throws IOException {
        System.out.println("filter?");
        // Users are treated as guests, unless a valid JWT is provided
        boolean isSecure = requestCtx.getSecurityContext().isSecure();
        MySecurityContext msc = new MySecurityContext("Unknown", "guest", isSecure);
        // Check if the HTTP Authorization header is present and formatted
        // correctly
        String authHeader = 
            requestCtx.getHeaderString(HttpHeaders.AUTHORIZATION);
        System.out.println(authHeader);
        if (authHeader != null && authHeader.startsWith("Bearer ")) {
            // Extract the token from the HTTP Authorization header
            String token = authHeader.substring("Bearer".length()).trim();
            try {
                // Validate the token
                JwtParser parser = Jwts.parser().setSigningKey(AuthenticationResource.key);
                Claims claims = parser.parseClaimsJws(token).getBody();
                String user = claims.getSubject();
                String role = claims.get("role").toString();

                msc = new MySecurityContext(user, role, isSecure);

            } catch (JwtException | IllegalArgumentException e) {

                System.out.println("Invalid JWT, processing as guest!");
            }
        }

        System.out.println(msc);
        requestCtx.setSecurityContext(msc);
    }
}
您需要确保的事项:

  • 确保设置
    SecurityContext
    的过滤器带有
    @Priority(Priorities.AUTHENTICATION)
    注释。这一点很重要,因为进行授权的筛选器具有优先级
    Priorities.authorization
    ,这发生在身份验证之后。如果忘记添加优先级,则默认为
    Priorities.USER
    ,它位于所有其他
    优先级之后。看
  • 确保正在设置
    SecurityContext
    的过滤器已注册

  • 确保注册了
    rolesAllowedDynamic功能
    。这是授予您授权的主要功能。它将注册具有
    优先级的筛选器。授权
    。在该过滤器中,它将获取您在先前调用的过滤器中设置的
    SecurityContext
    ,然后抓取
    @RolesAllowed
    注释,并对照
    SecurityContext#isUserInRole

    • 更新 要注册
    RolesAllowedDynamicFeature
    ,如果您正在使用
    ResourceConfig
    ,只需调用
    register(RolesAllowedDynamicFeature.class)
    。如果您使用的是web.xml,那么应该添加以下init参数

    <init-param>
    <param-name>jersey.config.server.provider.classnames</param-name>
    <param-value>
        org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature
    </param-value>
</init-param>

    
jersey.config.server.provider.classnames
org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature
    谢谢你的回答!如何准确注册我的
    SecurityContext
    RolesAllowedDynamicFeature
    ?例如,我不知道在哪里添加resourceconfig。我还添加了我的过滤器,以防出现问题。正如你所说,allready的优先级已经设置好了。我使用的是web.xml。我应该将这个init参数添加到我的servlet还是添加到一个新的servlet?我在eclipse中粘贴时出错。相同的Jersey servlet。就在您可能拥有的任何其他init参数的旁边(后面)