我試圖適應這個優秀的stormpath帖子布賴恩德默斯 - https://stormpath.com/blog/protecting-jax-rs-resources-rbac-apache-shiro - 爲了我自己的目的,迄今爲止它工作得很好 - 除了現在我想爲用戶添加stormpath /角色管理,而不是讓用戶進入shiro-ini文件。使用shiro與stormpath爲jax-rs rbac
我使用Apache四郎四郎-JAXRS 1.4.0-RC,以確保使用JAXRS一個REST端點。它工作正常。我能夠選擇性地使用固定端點@RequiresPermissions標籤,像這樣:
@Path("/scan")
@Produces("application/json")
public class ScanService {
final static Logger logger = Logger.getLogger(ScanService.class);
@GET
@Path("/gettest")
@RequiresPermissions("troopers:read")
public List<Barcode> gettest() throws Exception {
ArrayList<Barcode> listofstrings = new ArrayList<Barcode>();
Barcode b = new Barcode();
b.setBarcode("this is a big barcode");
listofstrings.add(b);
return listofstrings;
}
@GET
@Produces(MediaType.APPLICATION_JSON )
@Path("/gettest2")
public List<Barcode> gettest2() throws Exception {
ArrayList<Barcode> listofstrings = new ArrayList<Barcode>();
Barcode b = new Barcode();
b.setBarcode("this is a BIGGER barcode");
listofstrings.add(b);
return listofstrings;
}
我也有一個應用程序類,加入我的資源和ShiroFeature類,像這樣:
package ca.odell.erbscan;
import ca.odell.erbscan.ws.ScanService;
import javax.ws.rs.ApplicationPath;
import javax.ws.rs.core.Application;
import java.util.HashSet;
import java.util.Set;
import org.apache.shiro.web.jaxrs.ShiroFeature;
import com.stormpath.shiro.jaxrs.StormpathShiroFeature;
@ApplicationPath("/")
public class ERBApplication extends Application {
@Override
public Set<Class<?>> getClasses() {
Set<Class<?>> classes = new HashSet<Class<?>>();
// register Shiro
classes.add(ShiroFeature.class);
// register resources
classes.add(ScanService.class);
return classes;
}
}
和我web.xml中的init我的應用程序類,像這樣:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>ERBSCAN</display-name>
<servlet>
<servlet-name>ERBRest</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>ca.odell.erbscan</param-value>
</init-param>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>ca.odell.erbscan.ERBApplication</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>ERBRest</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
</web-app>
最後我shiro.ini
[main]
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionIdCookieEnabled = false
securityManager.sessionManager.sessionIdUrlRewritingEnabled = false
[urls]
/** = noSessionCreation, authcBasic[permissive]
[users]
# format: username = password, role1, role2, ..., roleN
root = secret,admin
emperor = secret,admin
officer = secret,officer
guest = secret
[roles]
admin = *
officer = troopers:create, troopers:read, troopers:update
接下來我要做的是爲RBAC添加Stormpath,而不是讓用戶和角色在文件中。我的感覺是,有一個簡單的方法可以做到這一點,而且我正在推翻它。
我認爲這將是我的shiro.ini加入一個相當簡單的方式:
stormpathClient = com.stormpath.shiro.client.ClientFactory
stormpathClient.cacheManager = $cacheManager
stormpath.application.href=http://....
但是我錯了。有人能指出我正確的方向嗎?