2

我将 JPA 和 Olingo 用于一些 REST 服务。我能够得到与我的实体类似的基本实现,类似于此处的示例:JPA Olingo Web App

但是,现在我正在尝试在我加入访问表的位置添加授权,然后相应地过滤结果。我只是想知道是否有一种无需覆盖默认行为的好方法。我在这里看到了注释处理器Annotation Processor for EDM,但它似乎不太适合我们的模型。

我的问题是:是否有一种简单的方法可以更改 Olingo JPA 处理器以默认加入表和过滤实体以实现授权?这将要求我能够传入帐户以过滤并限制所有结果。

我也尝试过这里描述的预处理和后处理。 自定义 JPA 处理器然而,过滤需要在查询中而不是在返回结果之后进行,因为 JPA 查询将返回太多结果,并且转换数千个对象的时间长且成本高。

到目前为止,我已经实现了一个 CustomODataJPAProcessor。但是,现在需要我重写和覆盖 org.apache.olingo.odata2.jpa.processor.core.access.data.JPAProcessorImpl#processmethod 并使用我想要的功能修改 JPA 查询。您会看到我实现了一个新的 JPAProcessor,我在其中调用 process 并发送我的帐户。这是我的代码在我的 CustomODataJPAProcessor 的 readEntitySet 方法中的样子:

    /* Pre Process Step */
    preprocess( );
    List<String> accounts = new ArrayList<>();

    //This is what the original readEntitySet does
    //ODataJPAFactory.createFactory().getODataJPAAccessFactory().getODataJPAResponseBuilder(oDataJPAContext);

    //Using custom JPA Processor that I added
    jpaProcessor = new CustomJPAProcessor(this.oDataJPAContext);
    CustomJPAProcessor customJPAProcessor = (CustomJPAProcessor)jpaProcessor;
    List<Object> jpaEntities = customJPAProcessor.process(uriParserResultView, accounts);

    //What the docs want you to do http://olingo.apache.org/doc/odata2/tutorials/CustomODataJPAProcessor.html
    //java.util.List<Object> jpaEntities = jpaProcessor.process(uriParserResultView);

   /* Post Process Step */
    postProcess( );
4

2 回答 2

1

我不知道你是否还在努力。我现在正在解决这个问题。Olingo 提供了 ODataJPAQueryExtensionEntityListener 这个监听器由 JPAQueryBuilder 在 buildQuery 执行前一步执行。

使用此无状态侦听器,您可以替换 buildQuery 方法,以便访问和更改包含 JPQL 查询的字符串 jpqlStatement.toString()。

我认为比原生 SQL 更好

再见多梅尼科

于 2016-12-17T19:59:33.673 回答
0

本教程的来源

我已经使用本教程在这个olingo JPA 应用程序中进行 JWT 身份验证。我刚刚复制了整个内容以备将来使用,如果源链接不再有效,人们可以有机会访问它!

您需要为您的用例调整示例,即必须更改包并且必须将库添加到 pom.xml 文件中。当然,您不需要HelloWorldController添加其余文件,而是将其余文件添加到应用程序中的类似文件夹中,它会在服务odata.csv/$metadata或其余请求之前请求 jwt 令牌!

Spring Boot Security + JWT Hello World 示例 - 启动

在本教程中,我们将开发一个 Spring Boot 应用程序,该应用程序利用 JWT 身份验证来保护暴露的 REST API。在此示例中,我们将使用硬编码的用户值进行用户身份验证。在下一节中,我们将实现 Spring Boot + JWT + MYSQL JPA 来存储和获取用户凭据。只有拥有有效的 JSON Web 令牌 (JWT) 的任何用户才能使用此 API。

为了更好地理解,我们将分阶段开发项目:

开发一个 Spring Boot 应用程序,该应用程序公开一个带有映射 /hello 的简单 REST GET API。

为 JWT 配置 Spring Security。使用映射/身份验证公开 REST POST API,用户将使用该 API 获得有效的 JSON Web 令牌。然后,仅当它具有有效令牌时才允许用户访问 API /hello

在此处输入图像描述

开发一个公开 GET REST API 的 Spring Boot 应用程序

Maven 项目将如下所示:

在此处输入图像描述

pom.xml 如下:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.javainuse</groupId>
    <artifactId>spring-boot-jwt</artifactId>
    <version>0.0.1-SNAPSHOT</version>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.1.1.RELEASE</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
    </dependencies>

</project>

创建一个控制器类来公开一个 GET REST API-

package com.javainuse.controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HelloWorldController {
    @RequestMapping({ "/hello" })
    public String firstPage() {
        return "Hello World";
    }
}

使用 Spring Boot Annotation 创建引导类

package com.javainuse;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class SpringBootHelloWorldApplication {
    public static void main(String[] args) {
        SpringApplication.run(SpringBootHelloWorldApplication.class, args);
    }
}

编译并运行 SpringBootHelloWorldApplication.java 作为 Java 应用程序。

转到本地主机:8080/你好

在此处输入图像描述

Spring Security 和 JWT 配置

我们将配置 Spring Security 和 JWT 以执行 2 个操作-

  • 生成 JWT — 使用映射/authenticate公开 POST API 。在传递正确的用户名和密码后,它将生成一个 JSON Web 令牌(JWT)
  • 验证 JWT — 如果用户尝试使用映射/hello访问 GET API 。仅当请求具有有效的 JSON Web 令牌(JWT)时才允许访问

Maven项目将如下 -

在此处输入图像描述

这些操作的顺序流程如下:

生成 JWT

在此处输入图像描述

在此处输入图像描述

验证 JWT

在此处输入图像描述

添加 Spring Security 和 JWT 依赖项

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.javainuse</groupId>
    <artifactId>spring-boot-jwt</artifactId>
    <version>0.0.1-SNAPSHOT</version>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.1.1.RELEASE</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt</artifactId>
            <version>0.9.1</version>
        </dependency>
    </dependencies>

</project>

定义 application.properties。我们指定将用于散列算法的密钥。密钥与标头和有效负载相结合以创建唯一的散列。如果您拥有密钥,我们只能验证此哈希。

jwt.secret=javainuse

JwtTokenUtil

JwtTokenUtil 负责执行 JWT 操作,如创建和验证。它利用 io.jsonwebtoken.Jwts 来实现这一点。

package com.javainuse.config;
import java.io.Serializable;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
@Component
public class JwtTokenUtil implements Serializable {
    private static final long serialVersionUID = -2550185165626007488L;
    public static final long JWT_TOKEN_VALIDITY = 5 * 60 * 60;
    @Value("${jwt.secret}")
    private String secret;
    //retrieve username from jwt token
    public String getUsernameFromToken(String token) {
        return getClaimFromToken(token, Claims::getSubject);
    }
    //retrieve expiration date from jwt token
    public Date getExpirationDateFromToken(String token) {
        return getClaimFromToken(token, Claims::getExpiration);
    }
    public <T> T getClaimFromToken(String token, Function<Claims, T> claimsResolver) {
        final Claims claims = getAllClaimsFromToken(token);
        return claimsResolver.apply(claims);
    }
    //for retrieveing any information from token we will need the secret key
    private Claims getAllClaimsFromToken(String token) {
        return Jwts.parser().setSigningKey(secret).parseClaimsJws(token).getBody();
    }
    //check if the token has expired
    private Boolean isTokenExpired(String token) {
        final Date expiration = getExpirationDateFromToken(token);
        return expiration.before(new Date());
    }
    //generate token for user
    public String generateToken(UserDetails userDetails) {
        Map<String, Object> claims = new HashMap<>();
        return doGenerateToken(claims, userDetails.getUsername());
    }
    //while creating the token -
    //1. Define  claims of the token, like Issuer, Expiration, Subject, and the ID
    //2. Sign the JWT using the HS512 algorithm and secret key.
    //3. According to JWS Compact Serialization(https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-3.1)
    //   compaction of the JWT to a URL-safe string 
    private String doGenerateToken(Map<String, Object> claims, String subject) {
        return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + JWT_TOKEN_VALIDITY * 1000))
                .signWith(SignatureAlgorithm.HS512, secret).compact();
    }
    //validate token
    public Boolean validateToken(String token, UserDetails userDetails) {
        final String username = getUsernameFromToken(token);
        return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
    }
}

JWTUserDetailsS​​ervice

JWTUserDetailsS​​ervice 实现了 Spring Security UserDetailsS​​ervice 接口。它覆盖 loadUserByUsername 以使用用户名从数据库中获取用户详细信息。Spring Security Authentication Manager 在对用户提供的用户详细信息进行身份验证时,调用该方法从数据库中获取用户详细信息。在这里,我们从硬编码的用户列表中获取用户详细信息。此外,用户的密码使用 BCrypt 以加密格式存储。

package com.javainuse.service;
import java.util.ArrayList;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
@Service
public class JwtUserDetailsService implements UserDetailsService {
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        if ("javainuse".equals(username)) {
            return new User("javainuse", "$2a$10$slYQmyNdGzTn7ZLBXBChFOC9f6kFjAqPhccnP6DxlWXx2lPk1C3G6",
                    new ArrayList<>());
        } else {
            throw new UsernameNotFoundException("User not found with username: " + username);
        }
    }
}

JwtAuthenticationController

使用 JwtAuthenticationController 公开 POST API /authenticate。POST API 在正文中获取用户名和密码 - 使用 Spring Authentication Manager 我们验证用户名和密码。如果凭据有效,则使用 JWTTokenUtil 创建 JWT 令牌并提供给客户端。

package com.javainuse.controller;
import java.util.Objects;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
import com.javainuse.service.JwtUserDetailsService;
import com.javainuse.config.JwtTokenUtil;
import com.javainuse.model.JwtRequest;
import com.javainuse.model.JwtResponse;
@RestController
@CrossOrigin
public class JwtAuthenticationController {
    @Autowired
    private AuthenticationManager authenticationManager;
    @Autowired
    private JwtTokenUtil jwtTokenUtil;
    @Autowired
    private JwtUserDetailsService userDetailsService;
    @RequestMapping(value = "/authenticate", method = RequestMethod.POST)
    public ResponseEntity<?> createAuthenticationToken(@RequestBody JwtRequest authenticationRequest) throws Exception {
        authenticate(authenticationRequest.getUsername(), authenticationRequest.getPassword());
        final UserDetails userDetails = userDetailsService
                .loadUserByUsername(authenticationRequest.getUsername());
        final String token = jwtTokenUtil.generateToken(userDetails);
        return ResponseEntity.ok(new JwtResponse(token));
    }
    private void authenticate(String username, String password) throws Exception {
        try {
            authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
        } catch (DisabledException e) {
            throw new Exception("USER_DISABLED", e);
        } catch (BadCredentialsException e) {
            throw new Exception("INVALID_CREDENTIALS", e);
        }
    }
}

JwtRequest

这个类是存储我们从客户端收到的用户名和密码所必需的。

package com.javainuse.model;
import java.io.Serializable;
public class JwtRequest implements Serializable {
    private static final long serialVersionUID = 5926468583005150707L;

    private String username;
    private String password;

    //need default constructor for JSON Parsing
    public JwtRequest()
    {

    }
    public JwtRequest(String username, String password) {
        this.setUsername(username);
        this.setPassword(password);
    }
    public String getUsername() {
        return this.username;
    }
    public void setUsername(String username) {
        this.username = username;
    }
    public String getPassword() {
        return this.password;
    }
    public void setPassword(String password) {
        this.password = password;
    }
}

Jwt响应

这是创建包含要返回给用户的 JWT 的响应所必需的类。

package com.javainuse.model;
import java.io.Serializable;
public class JwtResponse implements Serializable {
    private static final long serialVersionUID = -8091879091924046844L;
    private final String jwttoken;
    public JwtResponse(String jwttoken) {
        this.jwttoken = jwttoken;
    }
    public String getToken() {
        return this.jwttoken;
    }
}

JwtRequestFilter

JwtRequestFilter 扩展了 Spring Web Filter OncePerRequestFilter 类。对于任何传入请求,都会执行此过滤器类。它检查请求是否具有有效的 JWT 令牌。如果它具有有效的 JWT 令牌,那么它会在上下文中设置 Authentication,以指定当前用户已通过身份验证。

package com.javainuse.config;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import com.javainuse.service.JwtUserDetailsService;
import io.jsonwebtoken.ExpiredJwtException;
@Component
public class JwtRequestFilter extends OncePerRequestFilter {
    @Autowired
    private JwtUserDetailsService jwtUserDetailsService;
    @Autowired
    private JwtTokenUtil jwtTokenUtil;
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws ServletException, IOException {
        final String requestTokenHeader = request.getHeader("Authorization");
        String username = null;
        String jwtToken = null;
        // JWT Token is in the form "Bearer token". Remove Bearer word and get
        // only the Token
        if (requestTokenHeader != null && requestTokenHeader.startsWith("Bearer ")) {
            jwtToken = requestTokenHeader.substring(7);
            try {
                username = jwtTokenUtil.getUsernameFromToken(jwtToken);
            } catch (IllegalArgumentException e) {
                System.out.println("Unable to get JWT Token");
            } catch (ExpiredJwtException e) {
                System.out.println("JWT Token has expired");
            }
        } else {
            logger.warn("JWT Token does not begin with Bearer String");
        }
        // Once we get the token validate it.
        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails userDetails = this.jwtUserDetailsService.loadUserByUsername(username);
            // if token is valid configure Spring Security to manually set
            // authentication
            if (jwtTokenUtil.validateToken(jwtToken, userDetails)) {
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                usernamePasswordAuthenticationToken
                        .setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                // After setting the Authentication in the context, we specify
                // that the current user is authenticated. So it passes the
                // Spring Security Configurations successfully.
                SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
            }
        }
        chain.doFilter(request, response);
    }
}

JwtAuthenticationEntryPoint

此类将扩展 Spring 的 AuthenticationEntryPoint 类并覆盖其方法开始。它拒绝每个未经身份验证的请求并发送错误代码 401

package com.javainuse.config;
import java.io.IOException;
import java.io.Serializable;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint, Serializable {
    private static final long serialVersionUID = -7858869558953243875L;
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException authException) throws IOException {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
    }
}

网络安全配置

这个类扩展了 WebSecurityConfigurerAdapter 是一个方便类,它允许对 WebSecurity 和 HttpSecurity 进行自定义。

package com.javainuse.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
    @Autowired
    private UserDetailsService jwtUserDetailsService;
    @Autowired
    private JwtRequestFilter jwtRequestFilter;
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        // configure AuthenticationManager so that it knows from where to load
        // user for matching credentials
        // Use BCryptPasswordEncoder
        auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder());
    }
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        // We don't need CSRF for this example
        httpSecurity.csrf().disable()
                // dont authenticate this particular request
                .authorizeRequests().antMatchers("/authenticate").permitAll().
                // all other requests need to be authenticated
                anyRequest().authenticated().and().
                // make sure we use stateless session; session won't be used to
                // store user's state.
                exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        // Add a filter to validate the tokens with every request
        httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
    }
}

启动 Spring Boot 应用程序

  • 生成 JSON Web 令牌 -
  • 使用 url 创建一个 POST 请求localhost:8080/authenticate。正文应具有有效的用户名和密码。在我们的例子中,用户名是javainuse,密码是password

在此处输入图像描述

  • 验证 JSON Web 令牌
  • 尝试localhost:8080/hello在标头中使用上面生成的令牌访问 url,如下所示

在此处输入图像描述

于 2020-06-17T12:37:20.573 回答