如何使用JAX-RS进行Rest身份验证
我正在寻找一些关于如何保护我的rest根资源的指针如何使用JAX-RS进行Rest身份验证,rest,jakarta-ee,jersey,jax-rs,restful-authentication,Rest,Jakarta Ee,Jersey,Jax Rs,Restful Authentication,我正在寻找一些关于如何保护我的rest根资源的指针 @Path("/employee") public class EmployeeResource { @GET @Produces("text/html") public String get( @QueryParam("name") String empname, @QueryParam("sn") String sn) { // Return a data bac
@Path("/employee")
public class EmployeeResource {
@GET
@Produces("text/html")
public String get(
@QueryParam("name") String empname,
@QueryParam("sn") String sn) {
// Return a data back.
}
}
我读过关于基本授权和OAuth的帖子,我知道这个概念,但我正在寻找如何在代码中实现它的方法
谢谢我知道的方法是添加到你的webapp的
web.xml
。至少,我认为您需要添加:
<!-- Specifies what and how to protect *part* of a webapp -->
<security-constraint>
<!-- WHAT TO PROTECT -->
<web-resource-collection>
<web-resource-name>employee-related-urls</web-resource-name>
<!-- You might need to list other patterns too with more of these -->
<url-pattern>/employee/*</url-pattern>
</web-resource-collection>
<!-- WHO IS ALLOWED IN -->
<auth-constraint>
<!-- I assume something sensible here! -->
<role-name>employee</role-name>
</auth-constraint>
<!-- HOW TO PROTECT THE REQUESTS AND RESPONSES -->
<user-data-constraint>
<!-- Force HTTPS (or equivalent, in a formal sense) -->
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- HOW TO WORK OUT WHO IS ASKING -->
<login-config>
<!-- This is how to specify BASIC HTTP auth; look up docs for OAuth yourself -->
<auth-method>BASIC</auth-method>
<!-- Omit the next element to use the container's default -->
<realm-name>site</realm-name>
</login-config>
与员工相关的URL
/雇员/*
雇员
保密的
基本的
网站
声明拦截器:
<bean id="securityInterceptor" class="AuthenticatorInterceptor">
<property name="users">
<map>
<entry key="someuser" value="somepassword"/>
</map>
</property>
然后使用它:
<jaxrs:server address="/">
<jaxrs:inInterceptors>
<ref bean="securityInterceptor"/>
</jaxrs:inInterceptors>
(etc)
(等)
然后是您的AuthenticationInterceptor,大致如下:
import java.util.Map;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.interceptor.Interceptor;
import org.springframework.beans.factory.annotation.Required;
public class AuthenticatorInterceptor extends AbstractPhaseInterceptor<Message> {
private Map<String,String> users;
@Required
public void setUsers(Map<String, String> users) {
this.users = users;
}
public AuthenticatorInterceptor() {
super(Phase.RECEIVE);
}
public void handleMessage(Message message) {
AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
if (policy == null) {
System.out.println("User attempted to log in with no credentials");
throw new RuntimeException("Denied");
}
String expectedPassword = users.get(policy.getUserName());
if (expectedPassword == null || !expectedPassword.equals(policy.getPassword())) {
throw new RuntimeException("Denied");
}
}
}
import java.util.Map;
导入org.apache.cxf.message.message;
导入org.apache.cxf.phase.PhaseInterceptor;
导入org.apache.cxf.phase.AbstractPhaseInterceptor;
导入org.apache.cxf.phase.phase;
导入org.apache.cxf.configuration.security.AuthorizationPolicy;
导入org.apache.cxf.interceptor.interceptor;
导入org.springframework.beans.factory.annotation.Required;
公共类AuthenticatorInterceptor扩展了AbstractPhaseInterceptor{
私人地图用户;
@必需的
公共用户(地图用户){
this.users=用户;
}
公共身份验证接收器(){
超级(相位接收);
}
公共无效handleMessage(消息消息){
AuthorizationPolicy=message.get(AuthorizationPolicy.class);
如果(策略==null){
System.out.println(“用户试图在没有凭据的情况下登录”);
抛出新的运行时异常(“拒绝”);
}
字符串expectedPassword=users.get(policy.getUserName());
if(expectedPassword==null | |!expectedPassword.equals(policy.getPassword())){
抛出新的运行时异常(“拒绝”);
}
}
}
以更方便的方式定义可接受的凭据留给读者作为练习。谢谢Donal,我会研究一下。然后回来。