Java EE – securitycontext is not applicable to @ rolesallowed

Java

I am currently using Jersey 2.5 in Tomcat 7 1 create a backend server For security, I use @ rolesallowed, @ permitall and other annotations. I create a custom containerrequestfilter and securitycontext

My problem is that when my @ rolesallowed annotated resource is requested, it always denies permission, even if I force my isuserinrole (role) method to return true However, my filter method is called Do you have any suggestions? I'll paste some related codes below

My containerrequestfilter implementation:

public class AuthorizationFilter implements ContainerRequestFilter
{
    @Override
    public void filter(ContainerRequestContext request) throws IOException
    {
        request.setSecurityContext(new Authorizer());
    }
}

My securitycontext implementation:

public class Authorizer implements SecurityContext
{

    @Override
    public String getAuthenticationScheme() {
        return null;
    }

    @Override
    public Principal getUserPrincipal() {
        return null;
    }

    @Override
    public boolean isSecure() {
        return false;
    }

    @Override
    public boolean isUserInRole(String role) {
        return true;
    }

}

My resources:

@Path("/secure")
public class TestSecureResource {

    @GET
    @PermitAll
    @Path("/nonsec_test/{text}")
    public Response nonSecureTest(
            @PathParam("text") String text){

        return Response.status(200).entity(text).build();
    }

    @GET
    @RolesAllowed("admin")
    @Path("/sec_test/{text}")
    public Response secureTest(
            @PathParam("text") String text){

        return Response.status(200).entity(text).build();
    }
}

My resource allocation:

@ApplicationPath("/")
public class MyApplication extends ResourceConfig {

    public MyApplication() {
        super(TestSecureResource.class);
        register(RolesAllowedDynamicFeature.class);
        register(AuthorizationFilter.class);
    }
}

My web Relevant parts of XML:

<servlet-name>Jersey Web Application</servlet-name>
        <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>

        <init-param>
            <param-name>jersey.config.server.provider.packages</param-name>
            <param-value>pkg.backend</param-value>
        </init-param>

        <init-param>
            <param-name>javax.ws.rs.Application</param-name>
            <param-value>pkg.backend.MyApplication</param-value>
        </init-param>

        <load-on-startup>1</load-on-startup>
    </servlet>

In this particular case, I always deny access to securetest Clarify things; I received HTTP status code 403 - forbidden

Thank you in advance

Solution

Ensure that your authorizationfilter is registered in myapplication (see registering resources and providers in Jersey 2) or annotated with @ provider (so that it can be found by package scanning)

In order to use the security annotation package (javax. Annotation. Security) to restrict access to resources, you need to register rolesalloweddynamicfeature

Edit 1

Your AuthorizationFilter must also use @PreMatching to annotate, which means that the filter is called before the matching phase (URI – > resources). Otherwise, the filter registered by rolesalloweddynamicfeature (called at this stage) will not see the custom securitycontext

Edit 2

Jersey user's Guide – authorization – securing resources

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>