{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 该账号已被封号 的问题《@RolesAllowed cannot be resolved with Jersey》','https://www.manongdao.com/q-754387.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using JAX-RS using jersey implementation. I am trying to authenticate my service using BASIC authentication using Tomcat 6.
This is the code:
@Path("/authenticate")
@RolesAllowed({"Admin","Guest"})
public class BasicAuthenticationSecurity {
@GET
@Path("/wbiPing")
@Produces(MediaType.TEXT_PLAIN)
@RolesAllowed("Admin")
public Response wbiPing(){
System.out.println("Pinged!!!");
return Response.ok("Pinged!!!").build();
}
}
When I try to annotate my method using @RolesAllows, I am getting an compilation error:
@RolesAllows cannot be resolved to a type
Please let me know how to resolve this? Any specific jars/API required for this?
EDIT:
web.xml
<servlet>
<servlet-name>jersey-serlvet</servlet-name>
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>
com.security;
com.exception
</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-serlvet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>BasicDemo</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<!-- The realm name is typically displayed by the browser in the login dialog box. -->
<realm-name>Login</realm-name>
</login-config>
Please let me know about the issue.
Finally made it work!
Here are the steps to make it work in Tomcat and Jersey.
Let's assume we have the following contents in TOMCAT_HOME/conf/tomcat-users.xml, where we define 2 roles - editor and member.
We also define three users - gavin, julie, and admin.
Step 1. Make sure you use Servlet 3.0 spec in web.xml
Security annotations do not work with Servlet 2.5 and below.
Step 2. Create your Application Class to enable Security Annotations
NOTE: The code below is specific to Jersey.
Step 3. Specify your Application Class in web.xml
Make sure that the Application class you created in Step 2 is recognized by Jersey.
Step 4. Create security-constraint in web.xml
Ironically, even though we want to use security annotations, we still need to define a security constraint in web.xml.
In the example below, we try to secure access to /test/*. It's important that you don't specify any HTTP methods. (ex.
<http-method>GET</http-method>) This means that you're denying access to all HTTP methods.Still, you need to define all roles that can have access to the URL regardless of the method, through the
<auth-constraint>element.Step 5. Specify authentication method in web.xml
The example below illustrates BASIC authentication.
Step 6. Define Security Roles
The security roles should correspond to the same roles defined in tomcat-users.xml. In this example, we define the roles editor and member.
NOTE: It seems that this step is optional since authentication / authorization still works even without it.
Step 7. Annotate your resources
That's it. Here's the complete web.xml for your programming pleasure.
I don't know any java library that declare @RolesAllows. The Java6 EE API docs declare only 5 annotations to security use.
If you are trying to override the class roles, you cant simply put
@RolesAllowedin your method, just like you did, I'm sure that will work.I struggled with a similar issue for hours before one line from this IBM article opened my eyes. Surprisingly, not a single book or user guide mentions this critical fact, without which, authentication can't succeed.
When using annotation-based security, web.xml is not optional; quite on the contrary,
<security-constraint>element must be present; the web container checks for security before JAX-RS does and without a<security-constraint>, the proper security context is not set. Thus when JAX-RS invokesisUserInRole(role), it always returns false.In addition, either
<security-role>element(s) in web.xml or@DeclareRolesannotation must be present.Lastly, if using Jersey,
RolesAllowedDynamicFeatureneeds to be registered in the Application class to enable annotation-based security.HTH others who struggle with the pathetic documentation, or lack of it, thereof, that's out there.
Do you have the import in your code?
Also make sure
annotations-api.jaris in your classpath. The jar can be found at Tomcat installation lib folder.I think you should add the jsr250-api-1.0.jar. If you use Maven you can add this: