默认情况下,我所有其他 api 端点都是安全的,我怎样才能解除它们的安全?(球衣)
all of my rest api endpoints are secured by default, how can i unsecure them ?(jersey)
我已经使用 jersey rest api 有一段时间了,我发生了一些新奇的事情。突然间,我所有的端点都 secured.i 使用了 @Secure 注释。即使我从我的端点删除它,我仍然需要授权来访问该资源已尝试通过邮递员、intellij rest 客户端和 chrome 作为浏览器访问。
这是一个资源示例
package com.leaders.bo;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
@Path("/majd")
public class majdResource {
/**
* Method handling HTTP GET requests. The returned object will be sent
* to the client as "text/plain" media type.
*
* @return String that will be returned as a text/plain response.
*/
@GET
@Produces(MediaType.TEXT_PLAIN)
public String getIt() {
return "Got it!";
}
@PUT
@Produces(MediaType.TEXT_PLAIN)
public String getIt2() {
return "Got it!";
}
@DELETE
@Produces(MediaType.TEXT_PLAIN)
public String getIt3() {
return "Got it!";
}
@POST
@Produces(MediaType.TEXT_PLAIN)
public String getIt4() {
return "Got it!";
}
}
这里是注释的名称绑定
包裹 com.leaders.bo.Resources;
import javax.ws.rs.NameBinding;
import java.lang.annotation.Retention;
import java.lang.annotation.Target;
import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;
/**
* Created by Majd on 8/1/2017.
*/
@NameBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface Secured { }
这是我的 authenticationFilter
包裹 com.leaders.bo.Resources;
import com.leaders.bo.dao.TokensDao;
import com.leaders.bo.dao.posDao;
import io.jsonwebtoken.Jwts;
import javax.annotation.Priority;
import javax.ws.rs.NameBinding;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.Priorities;
import javax.ws.rs.client.ClientRequestContext;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import java.io.IOException;
import java.lang.annotation.Retention;
import java.lang.annotation.Target;
import java.security.Principal;
import java.security.SignatureException;
import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;
/**
* Created by Majd on 8/1/2017.
*/
@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter{
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// Get the HTTP Authorization header from the request
String authorizationHeader =
requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
// Check if the HTTP Authorization header is present and formatted correctly
if (authorizationHeader == null || !authorizationHeader.startsWith("ey")) {
throw new NotAuthorizedException("Authorization header must be provided");
}
// Extract the token from the HTTP Authorization header
final String token = authorizationHeader.substring("".length()).trim();
try {
// Validate the token
validateToken(token,TokensDao.getCompanyNameFromToken(token));
} catch (Exception e) {
requestContext.abortWith(
Response.status(Response.Status.UNAUTHORIZED).build());
}
final SecurityContext currentSecurityContext = requestContext.getSecurityContext();
requestContext.setSecurityContext(new SecurityContext() {
@Override
public Principal getUserPrincipal() {
return new Principal() {
@Override
public String getName() {
return token;
}
};
}
@Override
public boolean isUserInRole(String role) {
return true;
}
@Override
public boolean isSecure() {
return currentSecurityContext.isSecure();
}
//returns the company name that the token is a part of.
@Override
public String getAuthenticationScheme() {
return TokensDao.getCompanyNameFromToken(token);
}
});
}
private void validateToken(String token,String companyName) throws Exception {
// Check if it was issued by the server and if it's not expired
// Throw an Exception if the token is invalid
if(!posDao.validateToken(token,companyName))
throw new SignatureException();
}
}
但仍然出于某种原因,即使我不使用@secured 注释,我创建的每个新端点都会得到一个安全端点,我使缓存无效并重新启动,重建应用程序并删除源目标,但仍然没有帮助。
有人知道如何提供帮助吗?
谢谢分配
您还需要 @Secured 过滤器上的注释 class。就是这样Name Binding works。您将方法绑定到过滤器。如果过滤器未注释,则过滤器将为所有端点 运行。这可能是之前发生的事情,而你 尽管 这是因为注释(你可能在所有端点上都有)。
我已经使用 jersey rest api 有一段时间了,我发生了一些新奇的事情。突然间,我所有的端点都 secured.i 使用了 @Secure 注释。即使我从我的端点删除它,我仍然需要授权来访问该资源已尝试通过邮递员、intellij rest 客户端和 chrome 作为浏览器访问。 这是一个资源示例
package com.leaders.bo;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
@Path("/majd")
public class majdResource {
/**
* Method handling HTTP GET requests. The returned object will be sent
* to the client as "text/plain" media type.
*
* @return String that will be returned as a text/plain response.
*/
@GET
@Produces(MediaType.TEXT_PLAIN)
public String getIt() {
return "Got it!";
}
@PUT
@Produces(MediaType.TEXT_PLAIN)
public String getIt2() {
return "Got it!";
}
@DELETE
@Produces(MediaType.TEXT_PLAIN)
public String getIt3() {
return "Got it!";
}
@POST
@Produces(MediaType.TEXT_PLAIN)
public String getIt4() {
return "Got it!";
}
}
这里是注释的名称绑定 包裹 com.leaders.bo.Resources;
import javax.ws.rs.NameBinding;
import java.lang.annotation.Retention;
import java.lang.annotation.Target;
import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;
/**
* Created by Majd on 8/1/2017.
*/
@NameBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface Secured { }
这是我的 authenticationFilter 包裹 com.leaders.bo.Resources;
import com.leaders.bo.dao.TokensDao;
import com.leaders.bo.dao.posDao;
import io.jsonwebtoken.Jwts;
import javax.annotation.Priority;
import javax.ws.rs.NameBinding;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.Priorities;
import javax.ws.rs.client.ClientRequestContext;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import java.io.IOException;
import java.lang.annotation.Retention;
import java.lang.annotation.Target;
import java.security.Principal;
import java.security.SignatureException;
import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;
/**
* Created by Majd on 8/1/2017.
*/
@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter{
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// Get the HTTP Authorization header from the request
String authorizationHeader =
requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
// Check if the HTTP Authorization header is present and formatted correctly
if (authorizationHeader == null || !authorizationHeader.startsWith("ey")) {
throw new NotAuthorizedException("Authorization header must be provided");
}
// Extract the token from the HTTP Authorization header
final String token = authorizationHeader.substring("".length()).trim();
try {
// Validate the token
validateToken(token,TokensDao.getCompanyNameFromToken(token));
} catch (Exception e) {
requestContext.abortWith(
Response.status(Response.Status.UNAUTHORIZED).build());
}
final SecurityContext currentSecurityContext = requestContext.getSecurityContext();
requestContext.setSecurityContext(new SecurityContext() {
@Override
public Principal getUserPrincipal() {
return new Principal() {
@Override
public String getName() {
return token;
}
};
}
@Override
public boolean isUserInRole(String role) {
return true;
}
@Override
public boolean isSecure() {
return currentSecurityContext.isSecure();
}
//returns the company name that the token is a part of.
@Override
public String getAuthenticationScheme() {
return TokensDao.getCompanyNameFromToken(token);
}
});
}
private void validateToken(String token,String companyName) throws Exception {
// Check if it was issued by the server and if it's not expired
// Throw an Exception if the token is invalid
if(!posDao.validateToken(token,companyName))
throw new SignatureException();
}
}
但仍然出于某种原因,即使我不使用@secured 注释,我创建的每个新端点都会得到一个安全端点,我使缓存无效并重新启动,重建应用程序并删除源目标,但仍然没有帮助。 有人知道如何提供帮助吗? 谢谢分配
您还需要 @Secured 过滤器上的注释 class。就是这样Name Binding works。您将方法绑定到过滤器。如果过滤器未注释,则过滤器将为所有端点 运行。这可能是之前发生的事情,而你 尽管 这是因为注释(你可能在所有端点上都有)。