怎麼辦Rest認證與JAX-RS

Question

我正在尋找如何保護我的休息根資源

@Path("/employee") 
public class EmployeeResource { 

    @GET 
    @Produces("text/html") 
    public String get(
     @QueryParam("name") String empname, 
     @QueryParam("sn") String sn) { 

     // Return a data back. 
    } 
} 

一些指點我看了這篇文章的有關基本authetication和OAuth，我知道這個概念，但我尋找如何在代碼中實現它的方法。

感謝

Answer 1

聲明攔截器：

<bean id="securityInterceptor" class="AuthenticatorInterceptor"> 
<property name="users"> 
    <map> 
<entry key="someuser" value="somepassword"/> 
    </map> 
</property> 

然後使用它：

<jaxrs:server address="/"> 
     <jaxrs:inInterceptors> 
      <ref bean="securityInterceptor"/> 
     </jaxrs:inInterceptors> 
     (etc) 

然後你AuthenticationInterceptor，沿行：

import java.util.Map; 

import org.apache.cxf.message.Message; 
import org.apache.cxf.phase.PhaseInterceptor; 
import org.apache.cxf.phase.AbstractPhaseInterceptor; 
import org.apache.cxf.phase.Phase; 
import org.apache.cxf.configuration.security.AuthorizationPolicy; 
import org.apache.cxf.interceptor.Interceptor; 

import org.springframework.beans.factory.annotation.Required; 

public class AuthenticatorInterceptor extends AbstractPhaseInterceptor<Message> { 

    private Map<String,String> users; 

    @Required 
    public void setUsers(Map<String, String> users) { 
     this.users = users; 
    } 

    public AuthenticatorInterceptor() { 
     super(Phase.RECEIVE); 
    } 

    public void handleMessage(Message message) { 

     AuthorizationPolicy policy = message.get(AuthorizationPolicy.class); 

    if (policy == null) { 
     System.out.println("User attempted to log in with no credentials"); 
     throw new RuntimeException("Denied"); 
     } 

    String expectedPassword = users.get(policy.getUserName()); 
    if (expectedPassword == null || !expectedPassword.equals(policy.getPassword())) { 
     throw new RuntimeException("Denied"); 
    } 
    } 

} 

以更方便的方式定義可接受的憑證是留給讀者的練習。

Answer 2

我知道的方法是添加到您的web應用程序的web.xml。至少，我認爲你需要添加：

<!-- Specifies what and how to protect *part* of a webapp --> 
<security-constraint> 

    <!-- WHAT TO PROTECT --> 
    <web-resource-collection> 
     <web-resource-name>employee-related-urls</web-resource-name> 
     <!-- You might need to list other patterns too with more of these --> 
     <url-pattern>/employee/*</url-pattern> 
    </web-resource-collection> 

    <!-- WHO IS ALLOWED IN --> 
    <auth-constraint> 
     <!-- I assume something sensible here! --> 
     <role-name>employee</role-name> 
    </auth-constraint> 

    <!-- HOW TO PROTECT THE REQUESTS AND RESPONSES --> 
    <user-data-constraint> 
     <!-- Force HTTPS (or equivalent, in a formal sense) --> 
     <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
    </user-data-constraint> 
</security-constraint> 

<!-- HOW TO WORK OUT WHO IS ASKING --> 
<login-config> 
    <!-- This is how to specify BASIC HTTP auth; look up docs for OAuth yourself --> 
    <auth-method>BASIC</auth-method> 
    <!-- Omit the next element to use the container's default --> 
    <realm-name>site</realm-name> 
</login-config>