问题
I've got a Jersey API that's protected by Shibboleth, an SSO implementation. Shibboleth puts the id of the logged-in user in a request attribute. On the back end, I'm using Shiro for authorization. Shiro would like to know the logged-in user so it can load up permissions.
What is the correct way to get that userId out of the request attribute and into Shiro? Right now, what I'm trying is:
@Provider
public final class ShiroLoginFilter implements ContainerRequestFilter {
@Context
private HttpServletRequest request;
@Override
public void filter(final ContainerRequestContext requestContext)
throws IOException {
final String userId = (String) this.request.getAttribute("nameid");
final Subject subject = SecurityUtils.getSubject();
subject.login(new LocusAuthenticationToken(userId));
}
}
Unfortunately, due to JERSEY-1960, I can't inject the request context into a filter. Every user needs to "login" in order to load permissions. I'd rather not have to repeat the login code in every method of the API. I am also not permitted to use a web.xml filter (by my boss). Do I have any good option here?
回答1:
You should also be able to obtain ServletRequest attributes directly from ContainerRequestContext via ContainerRequestContext#getProperty as described in the JavaDoc of the method:
In a Servlet container, the properties are synchronized with the
ServletRequestand expose all the attributes available in theServletRequest. Any modifications of the properties are also reflected in the set of properties of the associatedServletRequest.
Note: Injecting HttpServletRequest should work as expected since Jersey 2.4 (released in 10.2013).
来源:https://stackoverflow.com/questions/19691753/read-request-attribute-in-a-jersey-containerrequestfilter