问题
I have followed all the steps given in Answer by pandadb in below link How to Optionally Protect a Resource with Custom Dropwizard Filter
I added my custom annotaion to the resource method but the custom authorisation filter is not being called.
can anyone tell me what i might have missed.
Update:- I am using dropwizard 1.0 using java8 and building the app using maven.
回答1:
First of all check this Dropwizard Feature example and Dropwizard Authorization. Then please provide more details, what you have done already and what Dropwizard Version you are using.
After all I have to guess, what you have done already...
You have create your custom authorizer?
public class YourCustomAuthorizer implements Authorizer<User> {
@Override
public boolean authorize(User user, String role) {
return user.getName().equals("good-guy") && role.equals("ADMIN");
}
}
You have annotated your resource?
@RolesAllowed("ADMIN")
@GET
public SecretPlan getSecretPlan() {
return dao.findPlanForUser(user);
}
You registered the authentication and authorization classes in your application run method?
@Override
public void run(ExampleConfiguration configuration,
Environment environment) {
environment.jersey().register(new AuthDynamicFeature(
new BasicCredentialAuthFilter.Builder<User>()
.setAuthenticator(new YourCustomAuthenticator())
.setAuthorizer(new YourCustomAuthorizer())
.setRealm("SUPER SECRET STUFF")
.buildAuthFilter()));
environment.jersey().register(RolesAllowedDynamicFeature.class);
//If you want to use @Auth to inject a custom Principal type into your resource
environment.jersey().register(new AuthValueFactoryProvider.Binder<>(User.class));
}
If you have done this, it should work, if your authentication is done before and is ok. If you want to authorize all GETS without authentication/autorization and authorize only POSTs for authenticated users, you can do this:
// do not add any annotations here and all users without authentication can do this GET @RolesAllowed("ADMIN")
// do not use '@Auth User user' in method params and do not annotate this method with '@Auth' if you want non authenticated users to do the GET
@GET
public SecretPlan getSecretPlan() {
return dao.findPlanForUser(user);
}
//here just authorized useras can do HTTP POSTs
@RolesAllowed("ADMIN")
@GET
public SecretPlan postSecretPlan() {
return dao.findPlanForUser(user);
}
Another problem I had in past, was that I build my application with ANT and IVY and not with Maven. This can cause several problems, if doing it wrong.
If your problem is not solved, please provide more informations than "It does not work, please help".*
回答2:
After editing your question after my other answer, I post a new answer now.
Read Dropwizard Documentation as it says, that:
Currently creating transactions with the @UnitOfWork annotation works out-of-box only for resources managed by Jersey. If you want to use it outside Jersey resources, e.g. in authenticators, you should instantiate your class with UnitOfWorkAwareProxyFactory.
SessionDao dao = new SessionDao(hibernateBundle.getSessionFactory());
ExampleAuthenticator exampleAuthenticator = new UnitOfWorkAwareProxyFactory(hibernateBundle)
.create(ExampleAuthenticator.class, SessionDao.class, dao);
来源:https://stackoverflow.com/questions/39140506/dropwizard-customauthorizationfilter-with-dynamicfeature