【发布时间】:2018-05-12 21:12:24
【问题描述】:
我正在尝试探索 shiro 框架。身份验证工作正常。我在授权时遇到问题。我正在使用 shiro 注释 @RequiresRoles 进行授权。尽管我使用了注释,但它并不仅仅授权给我指定的角色。它允许所有角色。请在下面找到我尝试过的代码。我正在使用球衣和 shiro。
Java 代码:-
package com.somecompany.rest;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.core.Response;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.annotation.RequiresRoles;
@Path("/test")
public class HelloWorldService {
@GET
@Path("/{param}")
@RequiresRoles(value= {"admin_role"})
public Response getMsg(@PathParam("param") String msg) {
String output = "Jersey say : " + msg;
System.out.println(SecurityUtils.getSubject().hasRole("admin_role"));
return Response.status(200).entity(output).build();
}
}
Web.xml
<servlet>
<servlet-name>jersey-serlvet</servlet-name>
<servlet-class>
com.sun.jersey.spi.container.servlet.ServletContainer
</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.somecompany.rest</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jersey-serlvet</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
Pom.XML
<dependency>
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-server</artifactId>
<version>1.17</version>
</dependency>
<dependency>
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-servlet</artifactId>
<version>1.17</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.3.2</version>
</dependency>
<!-- Included commons logging for shiro -->
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-aspectj</artifactId>
<version>1.3.2</version>
</dependency>
shiro.ini
[users]
root = root,root_role
admin = admin,admin_role
test = test,test_role
[roles]
admin = *
[urls]
# The 'urls' section is used for url-based security
# in web applications. We'll discuss this section in the
# Web documentation
/rest/** = authcBasic
【问题讨论】:
-
我认为 Jersey 无法识别这个注释你必须创建一个
DynamicFeature,这是一个例子:gist.github.com/caseyscarborough/f4266646f727fa9f7cc6
标签: java annotations jersey shiro