保护RESTEasy WS
保护RESTEasy WS
提问于 2012-11-27 19:22:23
我正在使用Netbeans 7.2开发两个项目:
1: a jee6 web项目(提供):一个RestEasy web服务,它使用JPA (EclipseLink 2.3)从PostgreSQL数据库获取数据,然后部署在JBoss 7.1上。
JBos-web.xml:
<jboss-web>
<!-- URL to access the web module -->
<context-root>/dbo</context-root>
</jboss-web>web.xml:
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>Restful Web Application</display-name>
<display-name>Restful Web Application</display-name>
<!-- Auto scan REST service -->
<context-param>
<param-name>resteasy.scan</param-name>
<param-value>true</param-value>
</context-param>
<!-- this need same with resteasy servlet url-pattern -->
<context-param>
<param-name>resteasy.servlet.mapping.prefix</param-name>
<param-value>/rest</param-value>
</context-param>
<listener>
<listener-class>
org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap
</listener-class>
</listener>
<servlet>
<servlet-name>resteasy-servlet</servlet-name>
<servlet-class>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>resteasy-servlet</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
JSONService.java:
package com.ostudio.dbo.rest;
import com.ostudio.dbo.model.Member;
import java.util.List;
import javax.enterprise.context.RequestScoped;
import javax.inject.Inject;
import javax.persistence.EntityManager;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
@Path("/members")
@RequestScoped
public class JSONService {
@Inject
private EntityManager em;
@GET
@Produces(javax.ws.rs.core.MediaType.APPLICATION_JSON)
public List<Member> listAllMembers() {
@SuppressWarnings("unchecked")
final List<Member> results = em.createQuery("select m from Member m order by m.name").getResultList();
return results;
}
}2:第二个项目是客户端(消费者):一个jee6 web项目:一个RestEasy客户端,它的安全是基于jaas连接的ldap服务器并部署在JBoss 7.1上。
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>home-module</display-name>
<!-- Protected Areas -->
<security-constraint>
<display-name>Admin Area</display-name>
<web-resource-collection>
<web-resource-name>Only_admins</web-resource-name>
<url-pattern>/pages/protected/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>For admin role only</description>
<role-name>administrators</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Validation By Form -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/pages/public/login.xhtml</form-login-page>
<form-error-page>/pages/public/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
<!-- Allowed Roles -->
<security-role>
<description>Administrators</description>
<role-name>administrators</role-name>
</security-role>
</web-app>JBos-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- URL to access the web module -->
<context-root>/</context-root>
<!-- Realm that will be used -->
<security-domain>SecurityRealm</security-domain>
</jboss-web>JBos-Deployment-structure.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="org.primefaces" meta-inf="export">
<imports>
<include path="META-INF" />
</imports>
</module>
<module name="org.jboss.resteasy.resteasy-jaxrs" meta-inf="export">
<imports>
<include path="META-INF" />
</imports>
</module>
</dependencies>
</deployment>
</jboss-deployment-structure>DBOResteasyClient.java:
package com.ostudio.homemodule.dbo;
import com.ostudio.homemodule.model.Member;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.enterprise.context.RequestScoped;
import javax.faces.bean.ManagedBean;
import javax.inject.Named;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import org.apache.http.client.ClientProtocolException;
import org.jboss.resteasy.client.ClientRequest;
import org.jboss.resteasy.client.ClientResponse;
import org.primefaces.json.JSONArray;
import org.primefaces.json.JSONException;
import org.primefaces.json.JSONObject;
/**
*
* @author josuna
*/
@ManagedBean(name="dboBean")
@RequestScoped
public class DBOResteasyClient {
private static final String BASE_URI = "http://localhost:8080/dbo/rest";
ClientRequest webResource;
ClientResponse response;
private List<Member> members;
private Member member;
private static final Logger log = Logger.getLogger(DBOResteasyClient.class.toString());
public DBOResteasyClient() {
final String Path = "/members";
webResource = new ClientRequest(BASE_URI+Path);
}
// @Named provides access the return value via the EL variable name "members" in the UI (e.g.,
// Facelets or JSP view)
@Produces
@Named
public List<Member> getMembers(){
return this.members;
}
@PostConstruct
public void listAllMembers() {
try{
ClientRequest resource = webResource;
response = resource.accept(javax.ws.rs.core.MediaType.APPLICATION_JSON).get(ClientResponse.class);
if (response.getStatus() != 200) {
throw new RuntimeException("Failed : HTTP error code : "
+ response.getStatus()); }
}catch(Exception e ){
e.printStackTrace();
}
String jsonData = (String) response.getEntity(String.class);
JSONArray jsonArray = null;
try {
jsonArray = new JSONArray(jsonData);
members = new ArrayList<Member>();
for(int i=0;i<jsonArray.length();i++)
{
JSONObject json_data = jsonArray.getJSONObject(i);
member = new Member();
member.setId(json_data.getLong("id"));
member.setName(json_data.getString("name"));
member.setEmail(json_data.getString("email"));
member.setPhoneNumber(json_data.getString("phoneNumber"));
members.add(member);
}
} catch (JSONException e) {
// TODO Auto-generated catch block
log.info("ERROR EN listAllMembers: DBOResteasyClient: home-module");
}
// log.info("listAllMembers: size["+ members.size()+"]");
log.info("Output from Server .... \n");
log.info(jsonData);
}
public void close(){
}
} 我的问题是:我需要保护webservice。我使用JBoss7.1域来保护客户端,我需要保护webservice resteasy,但是我不想使用其他领域,因为它再次请求auth,是否有一个表单来保护webservice并使用客户端auth来访问webservice,而不需要它再次请求auth?
回答 1
Stack Overflow用户
回答已采纳
发布于 2012-11-29 15:52:46
我假设您希望对用户进行身份验证/授权。如果您想保护连接,应该在HTTPS中使用TLS。如果您的连接已经由TLS保护,则可以使用并使用SecurityInterceptor
@Provider
@ServerInterceptor
public class RestSecurityInterceptor implements PreProcessInterceptor
{
// @EJB XXX xx (you can use Beans);
@Override
public ServerResponse preProcess(HttpRequest request, ResourceMethod method)
throws UnauthorizedException
{
// if(request.getPreprocessedPath().startsWith("/secure")){}
// perhaps you will limit it to a special path
// Then get the HTTP-Authorization header and base64 decode it
request.getHttpHeaders().getRequestHeader("Authorization");
// check whatever you want with your EJB
// if it fails,
// throw new UnauthorizedException("Username/Password does not match");
}
}您的客户端应该实现抢占式HTTP基本身份验证。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/13591510
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号