当前位置: 文江博客 话题详情

Jersey REST 服务上的用户身份验证

发布于 2024-09-02 09:44:04 字数 368 浏览 2 评论 0 原文

我正在开发一个 REST 应用程序,它使用 Jersey 框架。我想知道如何控制用户身份验证。我搜索了很多地方,找到的最接近的文章是这样的: http ://weblogs.java.net/blog/2008/03/07/authentication-jersey

但是,本文只能与 GlassFish 服务器和附加数据库一起使用。无论如何,我可以在 Jersey 中实现一个接口,并在到达请求的 REST 资源之前将其用作过滤器吗?

我现在想使用基本身份验证,但它应该足够灵活,以便我可以稍后更改。

原文

I am developing a REST application, which is using the Jersey framework. I would like to know how I can control user authentication. I have searched many places, and the closest article I have found is this: http://weblogs.java.net/blog/2008/03/07/authentication-jersey.

However this article can only be used with a GlassFish server and an attached database. Is there anyway that I can implement an interface in Jersey and use it as a filter before reaching the requested REST resource?

I want to use basic authentication right now, but it should be flexible enough such that I can change that at a later time.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

空城旧梦 2024-09-09 09:44:04

我成功地使用 Spring Security 来保护我的基于 Jersey 的 API。它具有可插入的身份验证方案,允许您稍后从基本身份验证切换到其他身份验证。我一般不使用Spring,只是安全方面的东西。

这是我的 web.xml 中的相关部分,

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/security-applicationContext.xml,
        /WEB-INF/applicationContext.xml
    </param-value>
</context-param>

<!-- Enables Spring Security -->

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
        org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>springSecurityFilterChain</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>

</filter-mapping>

您可以将 applicationContext.xml 留空()。 security-applicationContext.xml 的示例可以在此处找到

I'm sucessfully using spring security for securing my Jersey-based API. It has pluggable authentication schemes allowing you to switch from Basic Auth to something else later. I'm not using Spring in general, just the security stuff.

Here is the relevant part from my web.xml

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/security-applicationContext.xml,
        /WEB-INF/applicationContext.xml
    </param-value>
</context-param>

<!-- Enables Spring Security -->

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
        org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>springSecurityFilterChain</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>

</filter-mapping>

You can leave applicationContext.xml empty (<beans></beans>). An example of the security-applicationContext.xml can be found here

回复 原文
转瞬即逝 2024-09-09 09:44:04

我正在做类似的事情。在我的实现中,我们有 Apache httpd 前端来处理 HTTP Basic 身份验证,它只是转发带有一些包含用户和角色的标头信息的所有请求。

由此,我正在使用 servlet 过滤器 解析这些部分使用我在 HttpServletRequest “nofollow noreferrer”>CodeRanch。这允许我在我想要过滤的每个资源上使用 javax.annotation.security 注释,例如 @RolesAllowed。然而,为了让所有这些部分正常工作,我必须将以下内容添加到 web.xml 中的 servlet:

<servlet>
  <!-- some other settings and such 
  ... -->
  <init-param>
    <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
    <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
  </init-param>
  ...
</servlet>

您可能会发现 Eric Warriner 在最近感兴趣的帖子中的回答:
Jersey、Tomcat 和安全注释

I'm working on something similar to this. In my implementation, we have Apache httpd front-ended to handle HTTP Basic authentication and it simply forwards all requests with some header information containing the user and roles.

From that, I'm working on parsing these pieces out using a servlet filter to wrap the HttpServletRequest using a post I found on CodeRanch. This allows me to use the javax.annotation.security annotations like @RolesAllowed on each resource I want to filter. To get all of these pieces working, however, I had to add the following to my servlet in the web.xml:

<servlet>
  <!-- some other settings and such 
  ... -->
  <init-param>
    <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
    <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
  </init-param>
  ...
</servlet>

You might find that Eric Warriner's answer on a recent post of interest:
Jersey, Tomcat and Security Annotations

回复 原文
榕城若虚 2024-09-09 09:44:04

看看这里,我正在尝试它,但它看起来很有希望:

http://anismiles.wordpress.com/2012/03/02/securing-versioning-and-auditing-rest-jax-rs-jersey-apis/

这个示例比尝试实现 JASPI/JASPIC 简单得多,并且为各个方法(@RolesAllowed、@PermitAll、@DenyAll 等)提供了更好的粒度。

(我知道这是一个旧线程,但只是添加潜在有用的信息)

Have a look here, I'm in the middle of trying it, but it looks promising:

http://anismiles.wordpress.com/2012/03/02/securing-versioning-and-auditing-rest-jax-rs-jersey-apis/

This example is much simpler than attempting to implement JASPI/JASPIC and gives better granularity to the individual methods (@RolesAllowed, @PermitAll, @DenyAll, etc...).

(I know this is an old thread, but just adding potentially useful information)

回复 原文
攀登最高峰 2024-09-09 09:44:04

当然,您可以使用传统的 servlet 过滤器来实现此目的。

将过滤器添加到 web.xml,检查您正在使用的任何身份验证标头(Basic 或 Digest),根据这些值执行身份验证逻辑,并将结果存储在会话属性中。在您的 Jersey 资源(可能是 ctor)中,从会话属性中提取身份验证结果,并根据这是否是您需要的结果来继续处理。

您的 Jersey 资源构造函数可能如下所示:

protected AbstractResource(@Context ServletContext servletContext, 
    @Context HttpServletRequest httpServletRequest) {

    ...

    HttpSession session = httpServletRequest.getSession();
    // get whatever you put in the session in the auth filter here and compare
}

Sure, you can use a traditional servlet filter for this.

Add the filter to your web.xml, check for whatever authentication headers you're using (Basic or Digest), perform your authentication logic based on those values, and store the result in a session attribute. In your Jersey resource (ctor probably), extract the auth result from the session attribute and continue processing or not based on whether this is the result you require.

Your Jersey resource ctor would probably look like this:

protected AbstractResource(@Context ServletContext servletContext, 
    @Context HttpServletRequest httpServletRequest) {

    ...

    HttpSession session = httpServletRequest.getSession();
    // get whatever you put in the session in the auth filter here and compare
}
回复 原文
黒涩兲箜 2024-09-09 09:44:04

您可以通过两种方式完成此操作,要么编写一个简单的 servlet 过滤器,要么必须实现 ResourceFilterFactory 并在 ContainerRequestFilter 中处理身份验证。详细代码位于链接http://neopatel.blogspot。 com/2011/11/jesey-writing-authentication-filter.html。我个人喜欢 servlet 过滤器方法,因为它提供了完整的生命周期控制。但是,如果您需要更具体的东西,例如访问 QueryParams 或 PathParams,那么 ResourceFilterFactory 就是您的最佳选择。

You can do it in two ways, either you write a simple servlet filter or you have to implement a ResourceFilterFactory and handle the auth in ContainerRequestFilter. The detailed code is in the link http://neopatel.blogspot.com/2011/11/jesey-writing-authentication-filter.html. I like the servlet filter approach personally as it give complete lifecycle control. However if you need more specifc things like accessing QueryParams or PathParams then ResourceFilterFactory is the way to go.

回复 原文
~没有更多了~

关于作者

请远离我

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

lioqio

文章 0 评论 0

Single

文章 0 评论 0

禾厶谷欠

文章 0 评论 0

alipaysp_2zg8elfGgC

文章 0 评论 0

qq_N6d4X7

文章 0 评论 0

放低过去

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文