3

我正在使用 Netbeans 7.2 开发两个项目:

1:一个jee6 web项目(提供):一个RestEasy webservices,它使用JPA(EclipseLink 2.3)从PostgreSQL数据库中获取数据并部署在JBoss 7.1.1.Final上

jboss-web.xml:

<jboss-web>
 <!-- URL to access the web module -->
 <context-root>/dbo</context-root>        
</jboss-web>

网页.xml:

<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
 version="3.0">
<display-name>Restful Web Application</display-name>

    <display-name>Restful Web Application</display-name>

<!-- Auto scan REST service -->
<context-param>
    <param-name>resteasy.scan</param-name>
    <param-value>true</param-value>
</context-param>

<!-- this need same with resteasy servlet url-pattern -->
<context-param>
    <param-name>resteasy.servlet.mapping.prefix</param-name>
    <param-value>/rest</param-value>
</context-param>

<listener>
    <listener-class>
        org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap
    </listener-class>
</listener>

<servlet>
    <servlet-name>resteasy-servlet</servlet-name>
    <servlet-class>
        org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
    </servlet-class>
</servlet>

<servlet-mapping>
    <servlet-name>resteasy-servlet</servlet-name>
    <url-pattern>/rest/*</url-pattern>
</servlet-mapping> 

JSONService.java:

package com.ostudio.dbo.rest;
import com.ostudio.dbo.model.Member;
import java.util.List;
import javax.enterprise.context.RequestScoped;
import javax.inject.Inject;
import javax.persistence.EntityManager;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;    

@Path("/members")
@RequestScoped
public class JSONService {
   @Inject
   private EntityManager em;

   @GET
   @Produces(javax.ws.rs.core.MediaType.APPLICATION_JSON)
   public List<Member> listAllMembers() {
      @SuppressWarnings("unchecked")
      final List<Member> results = em.createQuery("select m from Member m order by m.name").getResultList();
      return results;
   }
}

2:第二个项目是客户端(Consumer):一个jee6 web项目:一个RestEasy客户端,它的安全基于jaas连接的ldap服务器,部署在JBoss 7.1.1.Final

网页.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <display-name>home-module</display-name>
    <!-- Protected Areas -->
    <security-constraint>
         <display-name>Admin Area</display-name>
        <web-resource-collection>
            <web-resource-name>Only_admins</web-resource-name>
            <url-pattern>/pages/protected/admin/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description>For admin role only</description>
            <role-name>administrators</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <!-- Validation By Form -->
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/pages/public/login.xhtml</form-login-page>
            <form-error-page>/pages/public/loginError.xhtml</form-error-page>
        </form-login-config>
    </login-config>

    <!-- Allowed Roles -->
    <security-role>
        <description>Administrators</description>
        <role-name>administrators</role-name>
    </security-role>
</web-app>

jboss-web.xml:

<?xml version="1.0" encoding="UTF-8"?>

    <jboss-web>
     <!-- URL to access the web module -->
     <context-root>/</context-root>

     <!-- Realm that will be used -->
     <security-domain>SecurityRealm</security-domain>
    </jboss-web>

jboss-部署结构.xml:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
    <deployment>
      <dependencies> 
         <module name="org.primefaces" meta-inf="export">
            <imports>
               <include path="META-INF" />
            </imports>
         </module>  
         <module name="org.jboss.resteasy.resteasy-jaxrs" meta-inf="export">
            <imports>
               <include path="META-INF" />
            </imports>
         </module>  
      </dependencies>
  </deployment>   
</jboss-deployment-structure>

DBOResteasyClient.java:

package com.ostudio.homemodule.dbo;

import com.ostudio.homemodule.model.Member;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.enterprise.context.RequestScoped;
import javax.faces.bean.ManagedBean;
import javax.inject.Named;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import org.apache.http.client.ClientProtocolException;
import org.jboss.resteasy.client.ClientRequest;
import org.jboss.resteasy.client.ClientResponse;
import org.primefaces.json.JSONArray;
import org.primefaces.json.JSONException;
import org.primefaces.json.JSONObject;

/**
 *
 * @author josuna
 */
@ManagedBean(name="dboBean")
@RequestScoped
public class DBOResteasyClient {
    private static final String BASE_URI = "http://localhost:8080/dbo/rest";
    ClientRequest webResource;
    ClientResponse response;
    private List<Member> members;
    private Member member;
    private static final Logger log = Logger.getLogger(DBOResteasyClient.class.toString());

    public DBOResteasyClient() {
        final String Path = "/members";
        webResource = new ClientRequest(BASE_URI+Path);
    }

   // @Named provides access the return value via the EL variable name "members" in the UI (e.g.,
   // Facelets or JSP view)
   @Produces
   @Named
    public List<Member> getMembers(){
        return this.members;
    }

    @PostConstruct
    public void listAllMembers() {
        try{
             ClientRequest resource = webResource;
        response = resource.accept(javax.ws.rs.core.MediaType.APPLICATION_JSON).get(ClientResponse.class); 

        if (response.getStatus() != 200) {
           throw new RuntimeException("Failed : HTTP error code : "
            + response.getStatus());    }   

        }catch(Exception e ){
            e.printStackTrace();
        }

        String jsonData = (String) response.getEntity(String.class); 

        JSONArray jsonArray = null;

        try {
            jsonArray = new JSONArray(jsonData);

            members = new ArrayList<Member>();

       for(int i=0;i<jsonArray.length();i++)
       {    
         JSONObject json_data = jsonArray.getJSONObject(i);
         member = new Member();
         member.setId(json_data.getLong("id"));
         member.setName(json_data.getString("name"));
         member.setEmail(json_data.getString("email"));
         member.setPhoneNumber(json_data.getString("phoneNumber"));         

         members.add(member);
    }

        } catch (JSONException e) {
            // TODO Auto-generated catch block
            log.info("ERROR EN listAllMembers: DBOResteasyClient: home-module");
        }       

   //  log.info("listAllMembers: size["+ members.size()+"]");

        log.info("Output from Server .... \n");
        log.info(jsonData);
    }

    public void close(){

    }
}   

我的问题是: 我需要保护网络服务。我使用 jboss 7.1 领域来保护客户端,我需要保护 web 服务 resteasy 但我不想使用其他领域,因为它再次要求身份验证,是否有一种形式来保护 web 服务并使用客户端身份验证来访问没有它的网络服务再次要求身份验证?

4

1 回答 1

6

我假设您想要验证/授权您的用户。如果你想保护连接,你应该使用 TLS 和 HTTPS。如果您的连接已经受 TLS 保护,您可以使用 HTTP 基本身份验证并使用SecurityInterceptor

@Provider
@ServerInterceptor
public class RestSecurityInterceptor implements PreProcessInterceptor
{
  // @EJB XXX xx (you can use Beans);

  @Override
  public ServerResponse preProcess(HttpRequest request, ResourceMethod method)
     throws UnauthorizedException
  {
    // if(request.getPreprocessedPath().startsWith("/secure")){}
    // perhaps you will limit it to a special path

    // Then get the HTTP-Authorization header and base64 decode it
    request.getHttpHeaders().getRequestHeader("Authorization");

    // check whatever you want with your EJB
    // if it fails, 
    // throw new UnauthorizedException("Username/Password does not match");
  }
}

您的客户端应该实现抢先式 HTTP 基本身份验证。

于 2012-11-29T15:52:46.707 回答