All geek questions in one place

Authorization with RolesAllowedDynamicFeature and Jersey

I am trying to authenticate users with a JAX-RS filter, which seems to work so far. This is the filter in which I set the new SecurityContext:

@Provider public class AuthenticationFilter implements ContainerRequestFilter { @Override public void filter(final ContainerRequestContext requestContext) throws IOException { requestContext.setSecurityContext(new SecurityContext() { @Override public Principal getUserPrincipal() { return new Principal() { @Override public String getName() { return "Joe"; } }; } @Override public boolean isUserInRole(String string) { return false; } @Override public boolean isSecure() { return requestContext.getSecurityContext().isSecure(); } @Override public String getAuthenticationScheme() { return requestContext.getSecurityContext().getAuthenticationScheme(); } }); if (!isAuthenticated(requestContext)) { requestContext.abortWith( Response.status(Status.UNAUTHORIZED) .header(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"Example\"") .entity("Login required.").build()); } } private boolean isAuthenticated(final ContainerRequestContext requestContext) { return requestContext.getHeaderString("authorization") != null; // simplified } }

The resource method is as follows:

  @GET // @RolesAllowed("user") public Viewable get(@Context SecurityContext context) { System.out.println(context.getUserPrincipal().getName()); System.out.println(context.isUserInRole("user")); return new Viewable("index"); }

RolesAllowedDynamicFeature is registered as follows:

 .register(RolesAllowedDynamicFeature.class)

I see the expected outputs on the console. But if I uncomment @RolesAllowed("user") , I get a Forbidden error and my SecurityContext's isUserInRole method is never called. Following the doc API , RolesAllowedDynamicFeature should call this method.

How can I use RolesAllowedDynamicFeature?

+6
source share
2 answers

You need to prioritize your authentication filter, otherwise RolesAllowedRequestFilter in RolesAllowedDynamicFeature will execute before your AuthenticationFilter . If you look at the source code, RolesAllowedRequestFilter has the @Priority(Priorities.AUTHORIZATION) annotation, so if you assign @Priority(Priorities.AUTHENTICATION) your authentication filter, it will execute before the RolesAllowedRequestFilter . Like this:

 @Provider @Priority(Priorities.AUTHENTICATION) public class AuthenticationFilter implements ContainerRequestFilter {

You may also need to register an AuthenticationFilter with register(AuthenticationFilter.class) , depending on whether your server scans the annotations or not.

+13
source

I think it's because

  @Override public boolean isUserInRole(String string) { return false; }

In what state the user does not have the required @RolesAllowed ("user") role to even enter the execution of the annotated method.

You should implement the more complex isUserInRole method, which checks if the user has a specific role or not :)

considers

+1
source

Source: https://habr.com/ru/post/947120/

More articles:


All Articles