Java 在grizzly上忽略Jersey安全注释在tomcat上工作正常
有一段时间一直在思考一个问题,搜索了所有可能的帖子,但却找不到jersey为什么忽略我的安全注释 基本上我的资源配置是这样的Java 在grizzly上忽略Jersey安全注释在tomcat上工作正常,java,spring,jax-rs,jersey-2.0,grizzly,Java,Spring,Jax Rs,Jersey 2.0,Grizzly,有一段时间一直在思考一个问题,搜索了所有可能的帖子,但却找不到jersey为什么忽略我的安全注释 基本上我的资源配置是这样的 @ApplicationPath("/*") public class ApplicationResourceConfig extends ResourceConfig { public ApplicationResourceConfig() { packages("com.property"); register(org
@ApplicationPath("/*")
public class ApplicationResourceConfig extends ResourceConfig {
public ApplicationResourceConfig()
{
packages("com.property");
register(org.springframework.web.context.request.RequestContextListener.class);
register(org.glassfish.jersey.servlet.ServletContainer.class);
register(org.glassfish.jersey.server.spring.SpringLifecycleListener.class);
register(org.glassfish.jersey.server.validation.ValidationFeature.class);
register(org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature.class);
}
}
@Provider
@PreMatching
public class SecurityFilter implements ContainerRequestFilter {
@Inject
javax.inject.Provider<UriInfo> uriInfo;
@Autowired
private HibernateSessionFacotry sessionFactory;
@Override
public void filter(ContainerRequestContext request) {
try
{
String sessionKey = request.getHeaderString("Authorization");
Integer uid = request.getHeaderString("From") == null ? null : Integer.parseInt(request.getHeaderString("From"));
if ((sessionKey == null) || (uid == null))
return;
Session session = null;
Account account = null;
session = sessionFactory.getSessionDAO().verifySession(uid, sessionKey);
if (session != null)
account = session.getAccount();
if (
(session != null)
&& (account != null)
&& (session.getSessionKey().equals(sessionKey))
&& (session.getAccountId() == uid)
&& (session.isValidSession())
)
request.setSecurityContext(new Authorizer(account, session));
else
request.setSecurityContext(new Authorizer());
}
catch (Exception ex)
{
//TODO:: ONLY PRINT IN DEBUG MODE
ex.printStackTrace();
return;
}
}
}
我的安全上下文的定义是这样的
@Provider
public class Authorizer implements javax.ws.rs.core.SecurityContext {
private final Account account;
private final Session session;
private final Principal principal;
public Authorizer() {
super();
this.account = null;
this.session = null;
this.principal = null;
}
public Authorizer(Account account, Session session) {
this.account = account;
this.session = session;
this.principal = new Principal() {
public String getName() {
return account.getAlias();
}
};
}
@Override
public String getAuthenticationScheme() {
return Authorizer.BASIC_AUTH;
}
@Override
public Principal getUserPrincipal() {
return principal;
}
@Override
public boolean isSecure() {
//return "https".equals(uriInfo.get().getRequestUri().getScheme());
return true;
}
@Override
public boolean isUserInRole(String role) {
if ((role == null) || (session == null) || (!session.isValidSession()) || (this.session.getType() == null) || (account == null))
return false;
return this.session.getType().toString().equals(role);
}
}
安全过滤器看起来是这样的
@ApplicationPath("/*")
public class ApplicationResourceConfig extends ResourceConfig {
public ApplicationResourceConfig()
{
packages("com.property");
register(org.springframework.web.context.request.RequestContextListener.class);
register(org.glassfish.jersey.servlet.ServletContainer.class);
register(org.glassfish.jersey.server.spring.SpringLifecycleListener.class);
register(org.glassfish.jersey.server.validation.ValidationFeature.class);
register(org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature.class);
}
}
@Provider
@PreMatching
public class SecurityFilter implements ContainerRequestFilter {
@Inject
javax.inject.Provider<UriInfo> uriInfo;
@Autowired
private HibernateSessionFacotry sessionFactory;
@Override
public void filter(ContainerRequestContext request) {
try
{
String sessionKey = request.getHeaderString("Authorization");
Integer uid = request.getHeaderString("From") == null ? null : Integer.parseInt(request.getHeaderString("From"));
if ((sessionKey == null) || (uid == null))
return;
Session session = null;
Account account = null;
session = sessionFactory.getSessionDAO().verifySession(uid, sessionKey);
if (session != null)
account = session.getAccount();
if (
(session != null)
&& (account != null)
&& (session.getSessionKey().equals(sessionKey))
&& (session.getAccountId() == uid)
&& (session.isValidSession())
)
request.setSecurityContext(new Authorizer(account, session));
else
request.setSecurityContext(new Authorizer());
}
catch (Exception ex)
{
//TODO:: ONLY PRINT IN DEBUG MODE
ex.printStackTrace();
return;
}
}
}
但是由于某种原因,安全注释@DenyAll被忽略,我得到了200的响应。这一切之所以发生,是因为我现在完全困惑不解
编辑::
我刚刚注意到,我的grizzly servlet只忽略了安全注释,你知道为什么会发生这种情况吗
public class WebTest extends JerseyTest {
protected static SimpleDateFormat sdf = null;
protected static GensonProvider gesonProvider = null;
protected static HibernateSessionFacotry sessionFactory = null;
@Override
protected Application configure() {
enable(TestProperties.LOG_TRAFFIC);
enable(TestProperties.DUMP_ENTITY);
return new ApplicationResourceConfig();
}
@Override
protected TestContainerFactory getTestContainerFactory() throws TestContainerException {
return new TestContainerFactory() {
@Override
public TestContainer create(final URI baseUri, ApplicationHandler application)
throws IllegalArgumentException {
return new TestContainer() {
private HttpServer server;
@Override
public ClientConfig getClientConfig() {
return null;
}
@Override
public URI getBaseUri() {
return baseUri;
}
@Override
public void start() {
try {
this.server =
GrizzlyWebContainerFactory.create(baseUri);
WebappContext context = new WebappContext("WebappContext", "");
context.addContextInitParameter("contextConfigLocation", "classpath:applicationContext.xml");
context.addListener(org.springframework.web.context.ContextLoaderListener.class);
ServletRegistration registration = context.addServlet("ServletContainer", org.glassfish.jersey.servlet.ServletContainer.class);
registration.addMapping("/*");
registration.setInitParameter("jersey.config.server.provider.packages", "com.property.filters.auditing;com.property.filters.security;com.property.filters.versioning;com.property.resources");
registration.setInitParameter("com.sun.jersey.config.feature.Trace", "true");
context.deploy(server);
} catch (ProcessingException e) {
throw new TestContainerException(e);
} catch (IOException e) {
throw new TestContainerException(e);
}
}
@Override
public void stop() {
this.server.stop();
}
};
}
};
}
public void setUp() throws Exception {
super.setUp();
sdf = new SimpleDateFormat("dd/MM/yyyy");
assertNotNull(sdf);
gesonProvider = new GensonProvider();
assertNotNull(gesonProvider);
sessionFactory = new HibernateSessionFacotry();
assertNotNull(sessionFactory);
}
public void tearDown() throws Exception {
super.tearDown();
}
}
忘了提到ContainerRequestFilter筛选器已成功调用,并且安全上下文是在我修改资源以包含@Context SecurityContext sc时创建的,并且成功填充了@Context SecurityContext sc,并且isUserInRole返回了正确的值。问题似乎是像DenyAll这样的安全性注释被忽略了,只在grizzly中忽略了安全性注释。在tomcat上,它们工作得很好。但是我仍然需要他们在grizzly上工作,因为我使用它作为我的测试框架,并尝试在
ApplicationResourceConfig
中注册您的SecurityFilter
。你确定你的过滤器被调用了吗。在真正的servlet容器上使用相同的示例效果如何?