{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ▲ chillily 的问题《Authorization with RolesAllowedDynamicFeature and》','https://www.manongdao.com/q-637287.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to authenticate users with a JAX-RS filter what seems to work so far. This is the filter where I'm setting a new SecurityContext:
@Provider
public class AuthenticationFilter implements ContainerRequestFilter {
@Override
public void filter(final ContainerRequestContext requestContext) throws IOException {
requestContext.setSecurityContext(new SecurityContext() {
@Override
public Principal getUserPrincipal() {
return new Principal() {
@Override
public String getName() {
return "Joe";
}
};
}
@Override
public boolean isUserInRole(String string) {
return false;
}
@Override
public boolean isSecure() {
return requestContext.getSecurityContext().isSecure();
}
@Override
public String getAuthenticationScheme() {
return requestContext.getSecurityContext().getAuthenticationScheme();
}
});
if (!isAuthenticated(requestContext)) {
requestContext.abortWith(
Response.status(Status.UNAUTHORIZED)
.header(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"Example\"")
.entity("Login required.").build());
}
}
private boolean isAuthenticated(final ContainerRequestContext requestContext) {
return requestContext.getHeaderString("authorization") != null; // simplified
}
}
The resource method looks like this:
@GET
// @RolesAllowed("user")
public Viewable get(@Context SecurityContext context) {
System.out.println(context.getUserPrincipal().getName());
System.out.println(context.isUserInRole("user"));
return new Viewable("index");
}
The RolesAllowedDynamicFeature is registered like this:
.register(RolesAllowedDynamicFeature.class)
I can see the expected outputs on the console. But if I uncomment @RolesAllowed("user"), I get a Forbidden error and the isUserInRole method of my SecurityContext is never called. Following the API doc RolesAllowedDynamicFeature should call this method.
How can I use RolesAllowedDynamicFeature?
I guess it is because of
Which states, that the user has not the required role @RolesAllowed("user") to even enter the execution of the annotated method.
You should implement a more sophisticated isUserInRole Method that checks, wheter a User has a specific Role or not :)
regards
You need to define a priority for your authentication filter, otherwise the
RolesAllowedRequestFilterinRolesAllowedDynamicFeaturewill be executed before yourAuthenticationFilter. If you look at the source code, theRolesAllowedRequestFilterhas the annotation@Priority(Priorities.AUTHORIZATION), so if you assign@Priority(Priorities.AUTHENTICATION)to your authentication filter it will be executed before theRolesAllowedRequestFilter. Like this:You might also need to actually register the
AuthenticationFilterusingregister(AuthenticationFilter.class), depending on if your server scans for annotations or not.