Java Jersey REST 服务上的用户身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2902427/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
User authentication on a Jersey REST service
提问by Stefan
I am developing a REST application, which is using the Jersey framework. I would like to know how I can control user authentication. I have searched many places, and the closest article I have found is this: http://weblogs.java.net/blog/2008/03/07/authentication-jersey.
我正在开发一个使用 Jersey 框架的 REST 应用程序。我想知道如何控制用户身份验证。我搜索了很多地方,找到的最接近的文章是这样的:http: //weblogs.java.net/blog/2008/03/07/authentication-jersey。
However this article can only be used with a GlassFish server and an attached database. Is there anyway that I can implement an interface in Jersey and use it as a filter before reaching the requested REST resource?
但是,本文只能与 GlassFish 服务器和附加数据库一起使用。无论如何,我可以在 Jersey 中实现一个接口并在到达请求的 REST 资源之前将其用作过滤器吗?
I want to use basic authentication right now, but it should be flexible enough such that I can change that at a later time.
我现在想使用基本身份验证,但它应该足够灵活,以便我可以在以后更改。
采纳答案by Magnus Eklund
I'm sucessfully using spring security for securing my Jersey-based API. It has pluggable authentication schemes allowing you to switch from Basic Auth to something else later. I'm not using Spring in general, just the security stuff.
我成功地使用 spring 安全来保护我基于 Jersey 的 API。它具有可插入的身份验证方案,允许您稍后从基本身份验证切换到其他身份验证。我一般不使用 Spring,只使用安全性的东西。
Here is the relevant part from my web.xml
这是我的 web.xml 中的相关部分
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/security-applicationContext.xml,
/WEB-INF/applicationContext.xml
</param-value>
</context-param>
<!-- Enables Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>springSecurityFilterChain</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
You can leave applicationContext.xml empty (<beans></beans>). An example of the security-applicationContext.xml can be found here
您可以将 applicationContext.xml 留空 (<beans></beans>)。可以在此处找到 security-applicationContext.xml 的示例
回答by Nick Klauer
I'm working on something similar to this. In my implementation, we have Apache httpd front-ended to handle HTTP Basic authentication and it simply forwards all requests with some header information containing the user and roles.
我正在做类似的事情。在我的实现中,我们使用 Apache httpd 前端来处理 HTTP 基本身份验证,它只是转发所有请求,其中包含一些包含用户和角色的标头信息。
From that, I'm working on parsing these pieces out using a servlet filterto wrap the HttpServletRequestusing a post I found on CodeRanch. This allows me to use the javax.annotation.securityannotations like @RolesAllowedon each resource I want to filter. To get all of these pieces working, however, I had to add the following to my servlet in the web.xml:
从那时起,我正在使用servlet 过滤器解析这些片段,以HttpServletRequest使用我在CodeRanch 上找到的帖子来包装它们。这使我可以javax.annotation.security像@RolesAllowed在要过滤的每个资源上一样使用注释。然而,为了让所有这些部分工作,我必须将以下内容添加到我的 servlet 中web.xml:
<servlet>
<!-- some other settings and such
... -->
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
</init-param>
...
</servlet>
You might find that Eric Warriner's answer on a recent post of interest: Jersey, Tomcat and Security Annotations
您可能会发现 Eric Warriner 在最近一篇感兴趣的帖子中的回答: Jersey, Tomcat and Security Annotations
回答by ae6rt
Sure, you can use a traditional servlet filter for this.
当然,您可以为此使用传统的 servlet 过滤器。
Add the filter to your web.xml, check for whatever authentication headers you're using (Basic or Digest), perform your authentication logic based on those values, and store the result in a session attribute. In your Jersey resource (ctor probably), extract the auth result from the session attribute and continue processing or not based on whether this is the result you require.
将过滤器添加到您的 web.xml,检查您使用的任何身份验证标头(Basic 或 Digest),根据这些值执行您的身份验证逻辑,并将结果存储在会话属性中。在您的 Jersey 资源(可能是 ctor)中,从会话属性中提取身份验证结果并根据这是否是您需要的结果继续处理。
Your Jersey resource ctor would probably look like this:
您的 Jersey 资源 ctor 可能如下所示:
protected AbstractResource(@Context ServletContext servletContext,
@Context HttpServletRequest httpServletRequest) {
...
HttpSession session = httpServletRequest.getSession();
// get whatever you put in the session in the auth filter here and compare
}
回答by kalpesh
You can do it in two ways, either you write a simple servlet filter or you have to implement a ResourceFilterFactory and handle the auth in ContainerRequestFilter. The detailed code is in the link http://neopatel.blogspot.com/2011/11/jesey-writing-authentication-filter.html. I like the servlet filter approach personally as it give complete lifecycle control. However if you need more specifc things like accessing QueryParams or PathParams then ResourceFilterFactory is the way to go.
您可以通过两种方式来实现,要么编写一个简单的 servlet 过滤器,要么必须实现一个 ResourceFilterFactory 并在 ContainerRequestFilter 中处理身份验证。详细代码在链接http://neopatel.blogspot.com/2011/11/jesey-writing-authentication-filter.html 中。我个人喜欢 servlet 过滤器方法,因为它提供了完整的生命周期控制。但是,如果您需要更多特定的东西,例如访问 QueryParams 或 PathParams,那么 ResourceFilterFactory 是您的最佳选择。
回答by millebi
Have a look here, I'm in the middle of trying it, but it looks promising:
看看这里,我正在尝试它,但它看起来很有希望:
http://anismiles.wordpress.com/2012/03/02/securing-versioning-and-auditing-rest-jax-rs-jersey-apis/
http://anismiles.wordpress.com/2012/03/02/securing-versioning-and-auditing-rest-jax-rs-jersey-apis/
This example is much simpler than attempting to implement JASPI/JASPIC and gives better granularity to the individual methods (@RolesAllowed, @PermitAll, @DenyAll, etc...).
此示例比尝试实现 JASPI/JASPIC 简单得多,并且为各个方法(@RolesAllowed、@PermitAll、@DenyAll 等)提供了更好的粒度。
(I know this is an old thread, but just adding potentially useful information)
(我知道这是一个旧线程,但只是添加了可能有用的信息)
