How to do Rest Authentication with JAX-RS

前端 未结 2 1653
北荒
北荒 2021-02-08 18:16

I am looking for some pointers on how to secure my rest root resource

@Path(\"/employee\")
public class EmployeeResource {

    @GET
    @Produces(\"text/html\"         


        
相关标签:
2条回答
  • 2021-02-08 18:49

    The way I know is to add to your webapp's web.xml. Minimally, I think you need to add:

    <!-- Specifies what and how to protect *part* of a webapp -->
    <security-constraint>
    
        <!-- WHAT TO PROTECT -->
        <web-resource-collection>
             <web-resource-name>employee-related-urls</web-resource-name>
             <!-- You might need to list other patterns too with more of these -->
             <url-pattern>/employee/*</url-pattern>
        </web-resource-collection>
    
        <!-- WHO IS ALLOWED IN -->
        <auth-constraint>
             <!-- I assume something sensible here! -->
             <role-name>employee</role-name>
        </auth-constraint>
    
        <!-- HOW TO PROTECT THE REQUESTS AND RESPONSES -->
        <user-data-constraint>
             <!-- Force HTTPS (or equivalent, in a formal sense) -->
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    
    <!-- HOW TO WORK OUT WHO IS ASKING -->
    <login-config>
        <!-- This is how to specify BASIC HTTP auth; look up docs for OAuth yourself -->
        <auth-method>BASIC</auth-method>
        <!-- Omit the next element to use the container's default -->
        <realm-name>site</realm-name>
    </login-config>
    
    0 讨论(0)
  • 2021-02-08 19:02

    Declare an interceptor:

     <bean id="securityInterceptor" class="AuthenticatorInterceptor">
    <property name="users">
      <map>
    <entry key="someuser" value="somepassword"/>
      </map>
    </property>
    

    Then use it:

      <jaxrs:server address="/">
          <jaxrs:inInterceptors>
              <ref bean="securityInterceptor"/>
          </jaxrs:inInterceptors>
          (etc)
    

    Then your AuthenticationInterceptor, along the lines of:

    import java.util.Map;
    
    import org.apache.cxf.message.Message;
    import org.apache.cxf.phase.PhaseInterceptor;
    import org.apache.cxf.phase.AbstractPhaseInterceptor;
    import org.apache.cxf.phase.Phase;
    import org.apache.cxf.configuration.security.AuthorizationPolicy;
    import org.apache.cxf.interceptor.Interceptor;
    
    import org.springframework.beans.factory.annotation.Required;
    
    public class AuthenticatorInterceptor extends AbstractPhaseInterceptor<Message> {
    
        private Map<String,String> users;
    
        @Required
        public void setUsers(Map<String, String> users) {
            this.users = users;
        }
    
        public AuthenticatorInterceptor() {
            super(Phase.RECEIVE);
        }
    
        public void handleMessage(Message message) {
    
            AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
    
        if (policy == null) {
            System.out.println("User attempted to log in with no credentials");
            throw new RuntimeException("Denied");
            }
    
        String expectedPassword = users.get(policy.getUserName());
        if (expectedPassword == null || !expectedPassword.equals(policy.getPassword())) {
            throw new RuntimeException("Denied");
        }
        }
    
    }
    

    Defining acceptable credentials in a more convenient way is left as an exercise for the reader.

    0 讨论(0)
提交回复
热议问题