Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
582 views
in Technique[技术] by (71.8m points)

rest - Authentication/authorization in JAX-RS using interceptors and injection

I am developing a new application in JavaEE 7 using WildFly 8. I am using JAX-RS to provide a RESTful service interface for remote applications.

Something like an HttpHeaders object can be injected in a resource method arguments using the @Context annotation. Since the object is based on request parameters (of course, the HTTP headers), I came up with the idea of creating my own injectable User object which is created based on the presence of a valid token in the request (something like an OAuth access token).

So, I want to achieve something like this:

@Path("/resources")
public class MyResource {

    @Path("/{id}")
    @GET
    public Response getById(@Context User user, @PathParam("id") long id) {
        ...
    }

}

Where User is an injectable object created based on request parameters, such as ones accessible through an HttpHeaders object. Of course, the provider can also throw an exception and return an HTTP error response if the User object cannot be created for any reason.

Now, my questions are:

  1. Is this a good design? If not, what better options do I have?
  2. How can I achieve this? I do not care if my solution is not JAX-RS specific and uses WildFly/RestEasy-specific internals, but I definitely prefer a portable solution if there exists one.

Thanks

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

In my eyes this approach is valid as long as you don't try to build something like a session with this User Object.

As answered here you could use @Context and @Provider but that's not exactly what you want. Directly injecting a Class per @Context is possible with the Resteasy Dispatcher. But here you must register the Object which should be injected. I don't think that makes sense for request-scoped parameters. What you could do is inject a provider like this:

// Constructor of your JAX-RS Application
public RestApplication(@Context Dispatcher dispatcher) {
    dispatcher.getDefaultContextObjects().put(UserProvider.class, new UserProvider());
}

// a resource
public Response getById(@Context UserProvider userProvider) {
    User user = userProvider.get();
}

Other ways to solve your problem:

  1. Register a WebFilter, authenticate the user, wrap the ServletRequest and override getUserPrincipal. You can then access the UserPrincipal from a injected HttpServletRequest.
  2. Implement a JAX-RS Interceptor which implements ContainerRequestFilter. Use ContainerRequestContext.html#setSecurityContext with a UserPrincipal and inject the SecurityContext as ResourceMethod-Parameter.
  3. Implement a CDI-Interceptor which updates your Method-Parameters.
  4. Implement a class which produces your user and inject it via CDI.

I pushed examples to github.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...