Fatal编程技术网
  • java/
  • Java Jersey webservice基本身份验证不要求输入用户名和密码

Java Jersey webservice基本身份验证不要求输入用户名和密码

java web-services rest jersey

Java Jersey webservice基本身份验证不要求输入用户名和密码,java,web-services,rest,jersey,jersey-client,Java,Web Services,Rest,Jersey,Jersey Client,我已经实现了jersey Web服务,并试图通过在有人从浏览器调用Web服务时询问用户名和密码来验证Web服务。我不确定下面的代码中缺少了什么,当有人调用webservice URL时,它不是请求凭据,而是直接提交到下面的AuthFilter类。请帮助查找问题。下面是代码。 我还添加了我先前使用的CXF身份验证,我现在正试图用jersey实现 AuthFilter类 Web.xml.servlet映射 CXF基本身份验证 公共类AuthenticationFilter实现RequestHandl

我已经实现了jersey Web服务,并试图通过在有人从浏览器调用Web服务时询问用户名和密码来验证Web服务。我不确定下面的代码中缺少了什么,当有人调用webservice URL时,它不是请求凭据,而是直接提交到下面的AuthFilter类。请帮助查找问题。下面是代码。 我还添加了我先前使用的CXF身份验证,我现在正试图用jersey实现

AuthFilter类 Web.xml.servlet映射 CXF基本身份验证 公共类AuthenticationFilter实现RequestHandler { 专用静态记录器Logger=Logger.getLoggerAuthenticationFilter.class

private static final String RIGHT_INVOKE_WEBSERVICE = "INVOKE_WEBSERVICE";

@Autowired
private UserInfoService userInfoService;

public Response handleRequest(Message request, ClassResourceInfo resourceClass) {

    AuthorizationPolicy policy = (AuthorizationPolicy) request.get(AuthorizationPolicy.class);
    if (policy == null) {
        // issue an authentication challenge to give invoker a chance to reply with credentials
        // (this is useful if web service is being called from a browser)
        return Response.status(Status.UNAUTHORIZED).header("WWW-Authenticate", "Basic").build();
    }

    // check authorization realm - we currently only support Basic authentication
    String realm = policy.getAuthorizationType();
    if (!"Basic".equalsIgnoreCase(realm)) {
        return Response.status(Status.UNAUTHORIZED).header("WWW-Authenticate", "Basic").build();
    }

    final String username = policy.getUserName();
    final String password = policy.getPassword();

    try {
        boolean isRightExists = false;

        DetailedUser detailedUser = userInfoService.readUserInfoAsUser(username, password);

        if (detailedUser != null) {
            Set<String> rights = detailedUser.getRights();

            for (String right : rights) {
                //TODO: We have additional rights to check
                if (RIGHT_INVOKE_WEBSERVICE.equalsIgnoreCase(right)) {
                    isRightExists = true;
                }
            }
        }

        if (!isRightExists) {
            return ErrorFactory.newFault(CommonError.ACCESS_DENIED);
        }

    } catch (AuthenticationException ae) {
        return ErrorFactory.newFault(CommonError.AUTHENTICATION_FAILED);
    }

    return null;
}
您似乎混淆了基本身份验证和表单身份验证。基本身份验证使用标题,而表单身份验证显示登录表单。基本身份验证基于以下标题:

WWW-Authenticate
我知道表单身份验证,我不是在寻找表单身份验证,我曾经使用CXF进行身份验证。这对我们来说很好。我清楚地提到,当有人调用webservice时,它应该提供带有用户名和密码的弹出窗口。@user3157090 Basic auth不需要用户名和密码,而是需要提到的标题使用加密用户名和密码作为值,我刚刚添加了用于CXF的代码。请在底部输入我的代码。CXF基本身份验证。我们仅从标题获取用户名和密码,但当一些人调用Web服务时,它会要求弹出用户名和密码。 
<servlet>
    <servlet-name>restwebservice</servlet-name>
    <servlet-class>
        com.sun.jersey.spi.spring.container.servlet.SpringServlet
    </servlet-class>
    <init-param>

    <param-name>com.sun.jersey.spi.container.ContainerRequestFilters</param-name>
    <param-value>com.sun.jersey.api.container.filter.LoggingFilter;com.guthyrenker.inventory.ws.rest.v1.security.AuthFilter</param-value>
    </init-param>
    <init-param>
        <param-name>
            com.sun.jersey.config.property.packages
         </param-name>

        <param-value>com.guthyrenker.inventory.ws.rest.v1.service</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>restwebservice</servlet-name>
    <url-pattern>/rest/*</url-pattern>
</servlet-mapping>

private static final String RIGHT_INVOKE_WEBSERVICE = "INVOKE_WEBSERVICE";

@Autowired
private UserInfoService userInfoService;

public Response handleRequest(Message request, ClassResourceInfo resourceClass) {

    AuthorizationPolicy policy = (AuthorizationPolicy) request.get(AuthorizationPolicy.class);
    if (policy == null) {
        // issue an authentication challenge to give invoker a chance to reply with credentials
        // (this is useful if web service is being called from a browser)
        return Response.status(Status.UNAUTHORIZED).header("WWW-Authenticate", "Basic").build();
    }

    // check authorization realm - we currently only support Basic authentication
    String realm = policy.getAuthorizationType();
    if (!"Basic".equalsIgnoreCase(realm)) {
        return Response.status(Status.UNAUTHORIZED).header("WWW-Authenticate", "Basic").build();
    }

    final String username = policy.getUserName();
    final String password = policy.getPassword();

    try {
        boolean isRightExists = false;

        DetailedUser detailedUser = userInfoService.readUserInfoAsUser(username, password);

        if (detailedUser != null) {
            Set<String> rights = detailedUser.getRights();

            for (String right : rights) {
                //TODO: We have additional rights to check
                if (RIGHT_INVOKE_WEBSERVICE.equalsIgnoreCase(right)) {
                    isRightExists = true;
                }
            }
        }

        if (!isRightExists) {
            return ErrorFactory.newFault(CommonError.ACCESS_DENIED);
        }

    } catch (AuthenticationException ae) {
        return ErrorFactory.newFault(CommonError.AUTHENTICATION_FAILED);
    }

    return null;
}

WWW-Authenticate