默认情况下,我的所有rest api端点都是安全的,我如何才能解除它们的安全?(jersey)
我已经使用jersey rest api有一段时间了,一些新的和奇怪的事情发生在我身上。突然,我所有的端点都安全了。我使用了@Secure注释。即使我从我的端点删除它,我仍然需要授权才能访问资源。我已经尝试通过postman、intellij rest客户端和chrome浏览器访问过这些资源。 下面是一个资源示例默认情况下,我的所有rest api端点都是安全的,我如何才能解除它们的安全?(jersey),rest,api,jakarta-ee,jersey-2.0,Rest,Api,Jakarta Ee,Jersey 2.0,我已经使用jersey rest api有一段时间了,一些新的和奇怪的事情发生在我身上。突然,我所有的端点都安全了。我使用了@Secure注释。即使我从我的端点删除它,我仍然需要授权才能访问资源。我已经尝试通过postman、intellij rest客户端和chrome浏览器访问过这些资源。 下面是一个资源示例 package com.leaders.bo; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; @Path("/maj
package com.leaders.bo;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
@Path("/majd")
public class majdResource {
/**
* Method handling HTTP GET requests. The returned object will be sent
* to the client as "text/plain" media type.
*
* @return String that will be returned as a text/plain response.
*/
@GET
@Produces(MediaType.TEXT_PLAIN)
public String getIt() {
return "Got it!";
}
@PUT
@Produces(MediaType.TEXT_PLAIN)
public String getIt2() {
return "Got it!";
}
@DELETE
@Produces(MediaType.TEXT_PLAIN)
public String getIt3() {
return "Got it!";
}
@POST
@Produces(MediaType.TEXT_PLAIN)
public String getIt4() {
return "Got it!";
}
}
下面是注释的名称绑定
包com.leaders.bo.Resources
import javax.ws.rs.NameBinding;
import java.lang.annotation.Retention;
import java.lang.annotation.Target;
import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;
/**
* Created by Majd on 8/1/2017.
*/
@NameBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface Secured { }
import com.leaders.bo.dao.TokensDao;
import com.leaders.bo.dao.posDao;
import io.jsonwebtoken.Jwts;
import javax.annotation.Priority;
import javax.ws.rs.NameBinding;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.Priorities;
import javax.ws.rs.client.ClientRequestContext;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import java.io.IOException;
import java.lang.annotation.Retention;
import java.lang.annotation.Target;
import java.security.Principal;
import java.security.SignatureException;
import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;
/**
* Created by Majd on 8/1/2017.
*/
@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter{
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// Get the HTTP Authorization header from the request
String authorizationHeader =
requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
// Check if the HTTP Authorization header is present and formatted correctly
if (authorizationHeader == null || !authorizationHeader.startsWith("ey")) {
throw new NotAuthorizedException("Authorization header must be provided");
}
// Extract the token from the HTTP Authorization header
final String token = authorizationHeader.substring("".length()).trim();
try {
// Validate the token
validateToken(token,TokensDao.getCompanyNameFromToken(token));
} catch (Exception e) {
requestContext.abortWith(
Response.status(Response.Status.UNAUTHORIZED).build());
}
final SecurityContext currentSecurityContext = requestContext.getSecurityContext();
requestContext.setSecurityContext(new SecurityContext() {
@Override
public Principal getUserPrincipal() {
return new Principal() {
@Override
public String getName() {
return token;
}
};
}
@Override
public boolean isUserInRole(String role) {
return true;
}
@Override
public boolean isSecure() {
return currentSecurityContext.isSecure();
}
//returns the company name that the token is a part of.
@Override
public String getAuthenticationScheme() {
return TokensDao.getCompanyNameFromToken(token);
}
});
}
private void validateToken(String token,String companyName) throws Exception {
// Check if it was issued by the server and if it's not expired
// Throw an Exception if the token is invalid
if(!posDao.validateToken(token,companyName))
throw new SignatureException();
}
这是我的身份验证过滤器
包com.leaders.bo.Resources
import javax.ws.rs.NameBinding;
import java.lang.annotation.Retention;
import java.lang.annotation.Target;
import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;
/**
* Created by Majd on 8/1/2017.
*/
@NameBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface Secured { }
import com.leaders.bo.dao.TokensDao;
import com.leaders.bo.dao.posDao;
import io.jsonwebtoken.Jwts;
import javax.annotation.Priority;
import javax.ws.rs.NameBinding;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.Priorities;
import javax.ws.rs.client.ClientRequestContext;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import java.io.IOException;
import java.lang.annotation.Retention;
import java.lang.annotation.Target;
import java.security.Principal;
import java.security.SignatureException;
import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;
/**
* Created by Majd on 8/1/2017.
*/
@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter{
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// Get the HTTP Authorization header from the request
String authorizationHeader =
requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
// Check if the HTTP Authorization header is present and formatted correctly
if (authorizationHeader == null || !authorizationHeader.startsWith("ey")) {
throw new NotAuthorizedException("Authorization header must be provided");
}
// Extract the token from the HTTP Authorization header
final String token = authorizationHeader.substring("".length()).trim();
try {
// Validate the token
validateToken(token,TokensDao.getCompanyNameFromToken(token));
} catch (Exception e) {
requestContext.abortWith(
Response.status(Response.Status.UNAUTHORIZED).build());
}
final SecurityContext currentSecurityContext = requestContext.getSecurityContext();
requestContext.setSecurityContext(new SecurityContext() {
@Override
public Principal getUserPrincipal() {
return new Principal() {
@Override
public String getName() {
return token;
}
};
}
@Override
public boolean isUserInRole(String role) {
return true;
}
@Override
public boolean isSecure() {
return currentSecurityContext.isSecure();
}
//returns the company name that the token is a part of.
@Override
public String getAuthenticationScheme() {
return TokensDao.getCompanyNameFromToken(token);
}
});
}
private void validateToken(String token,String companyName) throws Exception {
// Check if it was issued by the server and if it's not expired
// Throw an Exception if the token is invalid
if(!posDao.validateToken(token,companyName))
throw new SignatureException();
}
}
但出于某种原因,我创建的每个新端点都会得到一个安全端点,即使我不使用@secured注释,我也会使缓存无效并重新启动,重建应用程序并删除源目标,但仍然没有任何帮助。
有人知道怎么帮忙吗?
感谢allot您还需要过滤器类上的
@Secured
注释。这就是为什么。将方法绑定到筛选器。如果未注释过滤器,则过滤器将针对所有端点运行。这可能是以前发生的事情,您只是认为这是因为注释(您可能在所有端点上都有注释)。谢谢allot,工作正常。对不起,我还没有投票,但一旦我有了,我会投票支持你的答案:)