java 中 Restful 个端点上的基于角色的身份验证
Role Based Authentication on Restful endpoints in java
我正在尝试实施某种基于角色的身份验证。我正在使用 JWT 令牌。我一直在看指南,但他们都提到了 "Spring boot" 的使用。如何在 Java 中的 restful 端点上设置基于角色的身份验证?最好通过某种过滤器。
我正在寻找一种方法来简单地添加:@Role(Role.ADMIN) 在端点之前。
我已经设置了以下 classes:
枚举角色:
public enum Role {
User,
Admin
}
简单的 JWT 令牌:
{
"sub": "users/TzMUocMF4p",
"exp": 1554646441,
"username": "username@gmail.com",
"ID": 6,
"Role": "Admin",
"iat": 1554641041
}
简单的 CRUD 端点
@Path("User")
public class UserResource {
@EJB
private UserDAO userappDAO;
@GET
@JWTTokenNeeded
@Produces("application/json")
public List<Userapp> all() {
return userappDAO.getAll();
}
}
JWT 验证 (@JWTTokenNeeded) class 下面:
@javax.ws.rs.NameBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface JWTTokenNeeded {
}
实际过滤器:
@Provider
@JWTTokenNeeded
@Priority(Priorities.AUTHENTICATION)
public class JWTTokenNeededFilter implements ContainerRequestFilter {
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// Get the HTTP Authorization header from the request
String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
try {
// Extract the token from the HTTP Authorization header
String token = authorizationHeader.substring("Bearer".length()).trim();
// Validate the token
Jwts.parser().setSigningKey("MYSECRET".getBytes("UTF-8")).parseClaimsJws(token);
}
catch (Exception e) {
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
}
}
}
如果用户未被授权我想退出:
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
如果用户获得授权,则端点必须执行此操作。
我找到了可行的解决方案。它包括向 @JWTTokenNeeded 界面和 JWTTokenNeededFilter class.
添加几行
我得到了以下代码:
JWTTokenNeededFilter:
@Provider
@JWTTokenNeeded
@Priority(Priorities.AUTHENTICATION)
public class JWTTokenNeededFilter implements ContainerRequestFilter {
@Context
private ResourceInfo resourceInfo;
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// Get the HTTP Authorization header from the request
String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
try {
// Extract the token from the HTTP Authorization header
String token = authorizationHeader.substring("Bearer".length()).trim();
// Validate the token
Claims claims = Jwts.parser().setSigningKey("MYSECRET".getBytes("UTF-8")).parseClaimsJws(token).getBody();
Method method =resourceInfo.getResourceMethod();
if( method != null){
// Get allowed permission on method
JWTTokenNeeded JWTContext = method.getAnnotation(JWTTokenNeeded.class);
Role permission = JWTContext.Permissions();
if(permission != Role.NoRights ) {
// Get Role from jwt
String roles = claims.get("Role", String.class);
Role roleUser = Role.valueOf(roles);
// if role allowed != role jwt -> UNAUTHORIZED
if (!permission.equals(roleUser)) {
throw new Exception("no roles");
}
}
}
}
catch (Exception e) {
e.printStackTrace();
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
}
}
}
@JWTToken需要接口:
@javax.ws.rs.NameBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface JWTTokenNeeded {
Role Permissions() default Role.NoRights;
}
允许角色访问端点就像添加 @JWTTokenNeeded(Permissions = Role.Admin)
一样简单
这是一个例子:
@Path("User")
public class UserResource {
@EJB
private UserappDAO userDAO;
@GET
@JWTTokenNeeded(Permissions = Role.Admin)
@Produces("application/json")
public List<Userapp> all() {
return userDAO.getAll();
}
}
我正在尝试实施某种基于角色的身份验证。我正在使用 JWT 令牌。我一直在看指南,但他们都提到了 "Spring boot" 的使用。如何在 Java 中的 restful 端点上设置基于角色的身份验证?最好通过某种过滤器。
我正在寻找一种方法来简单地添加:@Role(Role.ADMIN) 在端点之前。
我已经设置了以下 classes:
枚举角色:
public enum Role { User, Admin }简单的 JWT 令牌:
{ "sub": "users/TzMUocMF4p", "exp": 1554646441, "username": "username@gmail.com", "ID": 6, "Role": "Admin", "iat": 1554641041 }简单的 CRUD 端点
@Path("User") public class UserResource { @EJB private UserDAO userappDAO; @GET @JWTTokenNeeded @Produces("application/json") public List<Userapp> all() { return userappDAO.getAll(); } }JWT 验证 (
@JWTTokenNeeded) class 下面:@javax.ws.rs.NameBinding @Retention(RUNTIME) @Target({TYPE, METHOD}) public @interface JWTTokenNeeded { }实际过滤器:
@Provider @JWTTokenNeeded @Priority(Priorities.AUTHENTICATION) public class JWTTokenNeededFilter implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext requestContext) throws IOException { // Get the HTTP Authorization header from the request String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION); try { // Extract the token from the HTTP Authorization header String token = authorizationHeader.substring("Bearer".length()).trim(); // Validate the token Jwts.parser().setSigningKey("MYSECRET".getBytes("UTF-8")).parseClaimsJws(token); } catch (Exception e) { requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build()); } } }
如果用户未被授权我想退出:
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
如果用户获得授权,则端点必须执行此操作。
我找到了可行的解决方案。它包括向 @JWTTokenNeeded 界面和 JWTTokenNeededFilter class.
我得到了以下代码:
JWTTokenNeededFilter:
@Provider
@JWTTokenNeeded
@Priority(Priorities.AUTHENTICATION)
public class JWTTokenNeededFilter implements ContainerRequestFilter {
@Context
private ResourceInfo resourceInfo;
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// Get the HTTP Authorization header from the request
String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
try {
// Extract the token from the HTTP Authorization header
String token = authorizationHeader.substring("Bearer".length()).trim();
// Validate the token
Claims claims = Jwts.parser().setSigningKey("MYSECRET".getBytes("UTF-8")).parseClaimsJws(token).getBody();
Method method =resourceInfo.getResourceMethod();
if( method != null){
// Get allowed permission on method
JWTTokenNeeded JWTContext = method.getAnnotation(JWTTokenNeeded.class);
Role permission = JWTContext.Permissions();
if(permission != Role.NoRights ) {
// Get Role from jwt
String roles = claims.get("Role", String.class);
Role roleUser = Role.valueOf(roles);
// if role allowed != role jwt -> UNAUTHORIZED
if (!permission.equals(roleUser)) {
throw new Exception("no roles");
}
}
}
}
catch (Exception e) {
e.printStackTrace();
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
}
}
}
@JWTToken需要接口:
@javax.ws.rs.NameBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface JWTTokenNeeded {
Role Permissions() default Role.NoRights;
}
允许角色访问端点就像添加 @JWTTokenNeeded(Permissions = Role.Admin)
这是一个例子:
@Path("User")
public class UserResource {
@EJB
private UserappDAO userDAO;
@GET
@JWTTokenNeeded(Permissions = Role.Admin)
@Produces("application/json")
public List<Userapp> all() {
return userDAO.getAll();
}
}