Jax RS授权

Question

我在一个扩展的类中有一个现有的代码 javax.ws.rs.core.Application

...
Context childContext = component.getContext().createChildContext();
JaxRsApplication application = new JaxRsApplication(childContext);
application.add(this);
application.setStatusService(new ErrorStatusService());
childContext.getAttributes().put("My Server", this);
...

ChallengeAuthenticator challengeGuard = new ChallengeAuthenticator(null, ChallengeScheme.HTTP_BASIC, "REST API Realm");
//Create in-memory users with roles
MemoryRealm realm = new MemoryRealm();
User user = new User("user", "user");
realm.getUsers().add(user);
realm.map(user, Role.get(null, "user"));
User owner = new User("admin", "admin");
realm.getUsers().add(owner);
realm.map(owner, Role.get(null, "admin"));
//Attach verifier to check authentication and enroler to determine roles
challengeGuard.setVerifier(realm.getVerifier());
challengeGuard.setEnroler(realm.getEnroler());
challengeGuard.setNext(application);
// Attach the application with HTTP basic authentication security
component.getDefaultHost().attach(challengeGuard);

我的代码中没有web.xml.我想为我的代码添加授权.这个:https://restlet.com/technical-resources/restlet-framework/guide/2.3/core/security/authorization不适用于我,因为我没有restlet资源.

如何在代码中实现jax rs授权？

编辑1:现有代码使用restlet JAX-RS扩展:https://restlet.com/technical-resources/restlet-framework/guide/2.2/extensions/jaxrs

我在我的jax-rs资源类中尝试过:

@GET
@Path("/")
public String getStatus() {
  if (!securityContext.isUserInRole("admin")) {
    throw new WebApplicationException(Response.Status.FORBIDDEN);
  }
  ...
}

但是,即使我与admin用户登录,它也会抛出403 .

编辑2:

当我在这里查看时:https://restlet.com/technical-resources/restlet-framework/guide/2.2/extensions/jaxrs有一段代码:

this.setRoleChecker(...); // if needed

这可以解决我的问题,但我不知道如何设置角色检查器.

PS:我使用jersey 1.9和restlet 2.2.3.

Answer 1

我可以让它像这样工作：

应用类：

...
application.setRoles(getRoles(application));
... 
public static List<Role> getRoles(JaxRsApplication application) {
  List<Role> roles = new ArrayList<>();
  for (AuthorizationRoleEnum authorizationRole : AuthorizationRoleEnum.values()) {
      roles.add(new Role(application, authorizationRole.toString()));
  }
  return roles;
}
...

授权枚举：

public enum AuthorizationRoleEnum {
  USER("user"),
  ADMIN("admin");

  private final String value;

  AuthorizationRoleEnum(String value) {
    this.value = value;
  }

  @Override
  public String toString() {
    return value;
  }

}

在我的资源课程中：

...
@Context
SecurityContext securityContext;
...
allowOnlyAdmin(securityContext);
...
public void allowOnlyAdmin(SecurityContext securityContext) {
  if (securityContext.getAuthenticationScheme() != null
    && !securityContext.isUserInRole(AuthorizationRoleEnum.ADMIN.toString())) {
    throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN)
      .entity("User does not have required " + AuthorizationRoleEnum.ADMIN + " role!").build());
  }
}
...