Jersey 2.x安全上下文不起作用？

Question

Jersey 2.x安全上下文不起作用？

4

当我尝试创建Java Jersey应用程序时，身份验证角色对我没有起作用。

Java代码：

package org.student.resource;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.ext.Provider;

@Path("/resource")
@PermitAll 
public class Resource {
@GET
public String get(){
    return "GET";
}

@RolesAllowed("admin")
@POST
public String post(){
    return "Post content.";
}

部署描述文件：

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
id="WebApp_ID" version="3.1">
<display-name>JerseyAuthentication</display-name>
<servlet>
    <servlet-name>Application</servlet-name>
    <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>Application</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Resource</web-resource-name>
        <url-pattern>/resource/*</url-pattern>
        <http-method>GET</http-method>
    </web-resource-collection>
</security-constraint>
<welcome-file-list>
    <welcome-file>login.html</welcome-file>
</welcome-file-list>
 </web-app>

标题：

Cache-Control →private
Content-Language →en
Content-Length →1010
Content-Type →text/html;charset=utf-8
Date →Sat, 19 Sep 2015 08:14:18 GMT
Expires →Thu, 01 Jan 1970 05:30:00 IST
Server →Apache-Coyote/1.1

请帮我一下，我想知道如何给资源分配角色。

- Murugesan M

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Paul Samsotha · Accepted Answer

你需要做三件事情：

第一步...

在Tomcat中设置安全领域（我假设这是由Server→Apache-Coyote/1.1指示的服务器）。你可以在Realm Configuration HOW-TO了解更多创建领域的信息。

最简单的领域配置是UserDatabaseRealm，但这种方式不建议用于生产环境。它只是为了让你在开发过程中快速搭建。你只需要进入${TOMCAT_HOME}/conf下的tomcat-users.xml文件，然后编辑该文件，使其看起来像这样：

<tomcat-users>
  <user username="Murugesan" password="secret" roles="admin" />
  <user username="peeskillet"  password="superSecret" roles="user"  />
</tomcat-users>

第二步..

您仍需要对web.xml进行一些配置。您需要执行以下几个步骤：

Declare the roles allowed to use the application. You can put this below the </security-contraint>

<security-role>
    <role-name>user</role-name>
</security-role>
<security-role>
    <role-name>admin</role-name>
</security-role>

Declare the roles allowed to access the path defined in the <security-constraint>
```
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/api/protected/*</url-pattern>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>
```
Here we are saying that any authenticated user (*) with one of the declared roles is allowed through the servlet container security control on through to the Jersey application. Alternatively you can define the roles instead of *. This will cause the servlet container to handle the access control. But if you want more fine grained control, just let all authenticated users in, and handle the access control inside Jersey with the annotations like you are currently doing.
You need to define the <login-config> to declare what type of authentication. There are only three. FORM, DIGEST, BASIC. Here we will use BASIC, and also declare the realm in which the user are located.
```
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>UserDatabaseRealm</realm-name>
</login-config>
```
You can put this below the </security-role>

最后..

您只需要在web.xml中注册RolesAllowedDynamicFeature，以便配置Jersey来处理安全注释。

<servlet>
    <servlet-name>Application</servlet-name>
    <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
    <init-param>
        <param-name>jersey.config.server.provider.packages</param-name>
        <param-value>org.student.resource</param-value>
    </init-param>
    <init-param>
        <param-name>jersey.config.server.provider.classnames</param-name>
        <param-value>
            org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature
        </param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

参见:

保护Web应用程序了解如何在web.xml中配置安全性的更多信息