1

I would like to develop a portal which contains some modules The portal and each module consume data provided by a webservice based on Jersey and secured with OAuth 1.0

For the moment I have almost implement the OAuth provider

A user can connect to the portal and access to a module

Each app or module has a specific access token to consume resource

What I want to do is to add a role implementation

For example for the module1, the user can have 2 roles (role1 and role2) but can't use the 2 roles in parallel

First the user uses the access (module1 / user1 / role1) and he will have a token and later the user uses the access (module1 / user1 / role2) and he will have an other token

Depending on the role, I would like to filter the request with a RolesAllowed annotation for example

I have read this article: http://objecthunter.congrace.de/tinybo/blog/articles/89

When the user is authenticated to the web service I could persist in a database the username, and the role used for the module and the RolesAllowedResourceFilterFactory could use the realm to check if the user is in the role and can access to the resource

But can I by-passed the auth method?

Anyway I really need your help to implement this role filter thing

I will try to give you more details if you need

Thanks

4

2 回答 2

1

Jersey oauth 过滤器根据使用的访问令牌设置安全上下文。您只需要确保您的 oauth 提供程序的自定义实现在使用各种角色调用时分配一个具有来自 isInRole() 方法的正确返回值的令牌。可以在令牌授权流程期间建立给定令牌的角色(例如,客户端可以使用自定义参数请求特定角色,该参数在请求请求令牌时传递给服务器(这在参数参数中传递给提供者。 newRequestToken() 方法)。

oauth 过滤器设置的安全上下文将在确定角色时委托给令牌 isInRole() 方法 - 而 RolesAllowedResourceFilterFactory 依赖于安全上下文。因此,如果 OAuthToken.isInRole() 返回正确的值,一切都应该按预期工作。你有什么问题吗?

于 2011-11-30T23:35:16.597 回答
0

我知道这是一个旧帖子,但我遇到了类似的问题。就我而言,我以与 Martin 描述的完全相同的方式解决了它。在令牌授权期间,我设置了允许的角色:

String verifier = provider.authorizeToken(token, sContext.getUserPrincipal(), roles);

其中提供者是@Context DefaultOAuthProvider,令牌是 DefaultOAuthProvider.Token,角色是一组角色,我想允许通过此令牌进行访问:

Set<String> roles = new HashSet<String>();
roles.add("someRole");

然后在我的服务中,我只使用 @Context SecurityContext 方法 isUserInRole("someRole") ,如果用户处于指定角色,则返回 true,否则返回 false:

if (sContext.isUserInRole("someRole")) {
     ....
}

希望它会帮助某人。

于 2014-03-17T14:29:37.173 回答