4

I created a filter with ContainerRequestFilter interface and try to assign custom roles that returning user entity. 

 @Override
public ContainerRequest filter(ContainerRequest request) {
    User user = authenticate(request);
    if (user != null) {
        request.setSecurityContext(new Authorizer(user));
    } else {
        throw new WebApplicationException(400);
    }
    return request;

}

 private User authenticate(ContainerRequest request) {

    user = new User("erhan", "customRole");


    return user;
}

public class Authorizer implements SecurityContext {

    private User user;
    private Principal principal;

    public Authorizer(final User user) {
        this.user = user;
        this.principal = new Principal() {

            public String getName() {
                return user.username;
            }
        };
    }

    public Principal getUserPrincipal() {
        return this.principal;
    }

    public boolean isUserInRole(String role) {
        return (role.equals(user.role));
    }

    public boolean isSecure() {
        return "https".equals(uriInfo.getRequestUri().getScheme());
    }

    public String getAuthenticationScheme() {
        return SecurityContext.BASIC_AUTH;
    }
}

public class User {

    public String username;
    public String role;

    public User(String username, String role) {
        this.username = username;
        this.role = role;
    }
}

Everything is fine with that filter, but when it goes to web service 

 @GET
 @RolesAllowed({"customRole"})
 @Path("/test")
 public String getByType(@Context HttpHeaders headers,@Context SecurityContext sc,
                                 @Context HttpServletRequest request) {



   return null;
 }

it reaches the webservice but when i change role,still reached the same webservice. How can i provide different custom roles in Jersey ?

shamoh
  • 164
  • 10
erhanasikoglu
  • 1,685
  • 1
  • 21
  • 33
  • 4
    Ok i think i found the solution but should be different way just add com.sun.jersey.spi.container.ResourceFilters com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory filter to my web.xml solved problem. But Why i need to initialize one more filter else ContainerRequestFilters ? – erhanasikoglu Mar 06 '12 at 20:47
  • 2
    Because Jersey doesn't support @RolesAllowed out of the box. Mentioned filter adds this support. And BTW, you should not return 400 for unauthorized, it means bad request. See HTTP status 401. – Pavel Bucek Mar 07 '12 at 13:43

2 Answers2

2

Using Jersey 2 you can just register RolesAllowedDynamicFeature and secure your application in web.xml. Than you don't need custom SecurityContext implementation.

See Jersey custom SecurityContext on EJB jax-rs resource for details about that.

Community
  • 1
  • 1
shamoh
  • 164
  • 10
0

Try to put annotation to the class. For me adding @PreMatching with @Provider works. It seems that Provider annotation is mandatory in this case. 

@PreMatching
@Provider
public class RequestFilter implements ContainerRequestFilter {
   .....
}

If this does not work try to add this: @Priority(Priorities.AUTHORIZATION)

Additionally you need to enables roles and register RolesAllowedDynamicFeature or use alternatives - check example 19.2

osoitza
  • 171
  • 1
  • 7