java - 如何使用Java中的Jersey安全注释绕过servlet过滤器中的路径

2022-01-21 00:00:00 rest java jersey

我已经使用 Jersey 实现了 REST 服务.为了提供更高的安全性,我在 REST 方法(@PermitAll@DenyAll)中添加了球衣安全注释.

I have implemented REST service using Jersey. To give more security, I have added jersey security annotation into REST method(@PermitAll, @DenyAll).

以下是我的示例 REST 服务:

Below is my sample REST service:

@GET
@Path("/getall")
@Produces(MediaType.APPLICATION_JSON)
@PermitAll
public String getChartSupportedData(@QueryParam("items") int result) {
    // my code goes here
}

但问题是之前我使用 javax.servlet.Filter 过滤器来验证 URI.

But the problem is that previously I have used javax.servlet.Filter filter to validate URI.

web.xml:

<filter>
    <filter-name>ApplicationFilter</filter-name>
    <filter-class>web.filter.ApplicationFilter</filter-class>
</filter>
<filter-mapping>
       <filter-name>ApplicationFilter</filter-name>
       <url-pattern>/rest/api/*</url-pattern>
       <dispatcher>REQUEST</dispatcher>
       <dispatcher>ASYNC</dispatcher>           
</filter-mapping>

根据访问一些 REST 服务,HttpServletRequest 应该包含一个有效的令牌(由应用程序生成).

According to access some REST services, HttpServletRequest should contain a valid token (generated by the application).

某些 REST 端点不需要令牌即可访问服务.在这种情况下,我必须在过滤器实现中绕过它:

Some REST end points doesn't require a token to access the service. In that case, I have to bypass that in filter implementation:

private static String[] bypassPaths = { "/data/getall" };

所以我的要求是这样的.

So my requirement is something like that.

如果我们将某个 REST 端点声明为 @PermitAll,则该路径不应在过滤器中声明为绕过路径,这样任何人都可以在没有有效令牌的情况下访问它.

If we declared some REST end point as @PermitAll that path should not have declare in filter as bypass path so that anyone can access it without valid token.

但问题是过滤器总是在请求进入服务器时进行过滤,如果它不在旁路数组中,即使我声明为 @PermitAll,请求也不会继续.

But the problem is that filter is always filtering when the request comes into server and, if it's not in the bypass array the request doesn't continue even I declared as @PermitAll.

我想知道是否可以在同一个 Web 应用程序中结合这两个安全选项.

I would like to know if can I combine those two security options in same web application.

推荐答案

由于您正在执行身份验证和/或授权,我建议使用名称绑定过滤器而不是 servlet 过滤器,这样您就可以轻松地将它们绑定到您需要的资源.

Since you are performing authentication and/or authorization, instead of servlet filters I would recommend using name binding filters, so you can easily bind them to the resources you need.

为了将过滤器绑定到您的 REST 端点,JAX-RS 提供了元注释 @NameBinding 可以如下使用:

To bind filters to your REST endpoints, JAX-RS provides the meta-annotation @NameBinding and can be used as following:

@NameBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface Secured { }

@Secured 注解将用于装饰一个过滤器类,它实现了 ContainerRequestFilter,允许你处理请求.

The @Secured annotation will be used to decorate a filter class, which implements ContainerRequestFilter, allowing you to handle the request.

ContainerRequestContext 帮助您从 HTTP 请求中提取信息(有关详细信息,请查看 ContainerRequestContext API):

@Secured
@Provider
@Priority(Priorities.AUTHENTICATION)
public class SecurityFilter implements ContainerRequestFilter {

    @Override
    public void filter(ContainerRequestContext requestContext) throws IOException {
        // Use the ContainerRequestContext to extract information from the HTTP request
        // Information such as the URI, headers and HTTP entity are available
    }
}

ContainerRequestFilter#filter() 方法是中止请求的好地方.为此,您可以使用 ContainerRequestContext#abortWith() 或抛出异常.

The ContainerRequestFilter#filter() method is a good place to abort the request if the user is not authenticated/authorized. To do it, you can use ContainerRequestContext#abortWith() or throw an exception.

@Provider 注释标记了一个扩展接口的实现,在提供者扫描阶段应该可以被 JAX-RS 运行时发现.

The @Provider annotation marks an implementation of an extension interface that should be discoverable by JAX-RS runtime during a provider scanning phase.

要将过滤器绑定到您的端点方法或类,请使用上面创建的 @Secured 注释对其进行注释.对于被注释的方法和/或类,将执行过滤器.

To bind the filter to your endpoints methods or classes, annotate them with the @Secured annotation created above. For the methods and/or classes which are annotated, the filter will be executed.

@Path("/")
public class MyEndpoint {

    @GET
    @Path("{id}")
    @Produces("application/json")
    public Response myUnsecuredMethod(@PathParam("id") Long id) {
        // This method is not annotated with @Secured
        // The security filter won't be executed before invoking this method
        ...
    }

    @DELETE
    @Secured
    @Path("{id}")
    @Produces("application/json")
    public Response mySecuredMethod(@PathParam("id") Long id) {
        // This method is annotated with @Secured
        // The security filter will be executed before invoking this method
        ...
    }
}

在上面的示例中,安全过滤器将仅针对 mySecuredMethod(Long) 执行,因为它带有 @Secured 注释.

In the example above, the security filter will be executed only for mySecuredMethod(Long) because it's annotated with @Secured.

您可以为 REST 端点设置任意数量的过滤器.要确保过滤器的执行顺序,请使用 对其进行注释@优先级.

You can have as many filters as you need for your REST endpoints. To ensure the execution order of the filters, annotate them with @Priority.

强烈建议使用 Priorities 类(将使用以下顺序):

It's highly recommended to use one of the values defined in the Priorities class (the following order will be used):

  • AUTHENTICATION
  • 授权
  • ENTITY_CODER
  • HEADER_DECORATOR
  • USER

如果您的过滤器未使用 @Priority 注释,过滤器将使用 USER 优先级.

If your filter is not annotated with @Priority, the filter will be executed with the USER priority.

您可以将此方法与 Jersey 安全机制结合使用.

You can combine this approach with Jersey security mechanism.

此外,您可以注入 中的 ResourceInfoContainerRequestFilter:

Additionally, you can inject ResourceInfo in your ContainerRequestFilter:

    @Context
    private ResourceInfo resourceInfo;

可以用来获取方法与请求的URL匹配:

It can be used to get Method and Class which match with the requested URL:

    Class<?> resourceClass = resourceInfo.getResourceClass();
    Method resourceMethod = resourceInfo.getResourceMethod();

并从中提取注释:

    Annotation[] annotations = resourceClass.getDeclaredAnnotations();
    PermitAll annotation = resourceMethod.getAnnotation(PermitAll.class);

相关文章