问题
I am developing a Web application which uses JBoss RESTEasy (resteasy-jaxrs-3.0.8) but I want to disable the RoleBasedSecurityFilter.java and only use my own custom SecurityInterceptor class (which also implements javax.ws.rs.container.ContainerRequestFilter just as the RoleBasedSecurityFilter class does, so they are both security filters).
The reason for this is that line 43 in RoleBasedSecurityFilter.java calls a isUserInRole() method, which always returns false in my application. And as result a ForbiddenException gets thrown, which prevents the user from accessing resources he should have access to.
I really like being able to use the @RolesAllowed annotation to declare which roles have access to certain functionalities, but as explained, the RoleBasedSecurityFilter class is blocking this. So my question is, does anyone know how to disable one specific RESTEasy filter (i.e. RoleBasedSecurityFilter)?
I'd imagine that it might be done in the deployment descriptor (web.xml) (for example with a context-param element), but I have no clue how to actually disable the filter.
I realize I could also change the line in the RoleBasedSecurityFilter.java file in the RESTEasy library I am using, but that approach is too hacky for me as I don't want to be stuck having to apply this hack again everytime I would upgrade my RESTEasy version. (not sure how often that would be though..)
回答1:
You can enable / disable the role based security by adding this configuration in the web.inf deployment descriptor.
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
Hope this helps.
来源:https://stackoverflow.com/questions/26039920/is-it-possible-to-disable-rolebasedsecurityfilter-java-of-resteasy