0

我们使用 Resteasy 在多个后端服务器之间进行通信,并且我们希望将其锁定,这样不仅任何人都可以将客户端或浏览器附加到 restlet 服务器。

我们使用的是 Resteasy 3.04,因为我们的后端服务众多,但非常轻量级的嵌入式 TJWS 网络服务器。

示例服务器代码:

public class RestEasySSLBasicAuthenticationServer {

    static TJWSEmbeddedJaxrsServer webServer;

    static class BasicAthenticationSecurityDomain implements SecurityDomain  {

        @Override
        public Principal authenticate(String aUsername, String aPassword) throws SecurityException {
            System.out.println("User:" + aUsername + " Password" + aPassword);

            if (aPassword.equals("password") == false) {
                throw new SecurityException("Access denied to user " + aUsername);
            }

            return null;
        }

        @Override
        public boolean isUserInRoll(Principal aUsername, String aRole) {
            // No role based checks so return true
            return true;
        }

    }

    public static void main(String[] args) throws Exception {

        // Create embedded TJWS web server
        webServer = new TJWSEmbeddedJaxrsServer();

        // Set up SSL connections on server
        webServer.setSSLPort(8081);
        webServer.setSSLKeyStoreFile("K:\\source\\RestEasyTest\\server_localhost.jks");
        webServer.setSSLKeyStorePass("krypton");
        webServer.setSSLKeyStoreType("JKS");

        // Add basic HTTP authentication to the server
        webServer.setSecurityDomain( new BasicAthenticationSecurityDomain() );

        // Add the restlet resource
        webServer.getDeployment().getActualResourceClasses().add(PlayerResource.class);

        // Start the web server
        webServer.start();

        // Run until user presses a key
        System.out.print("Web server started. Press a key to stop...");
        System.in.read();

        // Stop the web server
        webServer.stop();
    }

}

示例客户端代码:

public class RestEasySSLBasicAuthenticationClient {

    public static void main(String[] args) throws Exception {

      // Set up the keystore
        System.setProperty("javax.net.ssl.keyStore", "K:\\source\\RestEasyTest\\client_localhost.jks");
        System.setProperty("javax.net.ssl.keyStoreType", "JKS");
        System.setProperty("javax.net.ssl.keyStorePassword", "krypton");

        // Create a new Restlet client
        Client restletClient = ClientBuilder.newClient();

        // *** Even WITHOUT these credentitials we can access the restlet
        // restletClient.register(new BasicAuthentication("username", "password"));

        // Set up the restlet request target.
        WebTarget request = restletClient.target("https://localhost:8081/player/{id}");
        request = request.resolveTemplate("id", Long.valueOf(1));

        // Build the restlet request
        Invocation invocation = request.request("application/xml").buildGet();

        // Call the restlet and get returned object
        Player result = invocation.invoke( Player.class );

        System.out.println(result.toString());
    }   
}

使用测试客户端和注册的身份验证过滤器可以正常工作,如果密码不正确,我可以按预期出现 401 访问错误。

但是,如果没有在客户端注册身份验证,则服务器永远不会调用SecurityDomain检查并允许访问。

如何在服务器上强制登录?

4

1 回答 1

0

您可以通过在嵌入式 TJWS Web 服务器上启用安全性来确保所有用户都经过身份验证。

webServer.getDeployment().setSecurityEnabled(true);
于 2013-10-23T09:25:13.120 回答