问题
I have a webapp which has jsps. am not using any struts or mvc framework. We have JAX-RS service build using Apache CXF.
Now i want to do following
- Allow user to login with username and password.
- For all subsequent calls to webservice, same authentication info should be used.
- Logged in user has some details (profile photo, full name), which i want to keep it constant across session.
- Also, its role are defined. Based on role(s) only certain jax-rs calls will be allowed.
- Roles are also used in JSP to restrict access to functionality.
- Web services can be accessed outside so authentication and authorization info should be used.
As far as i understand, We should not use session in jax-rs services. What is the best way to handle above situation ?
回答1:
The best way depends on how you estimate it. My way of doing this is to
- Run Rest service and JSP on the same instance
- Use web.xml and CXF to set up security policy, which allows user/pw authentication and authorization, ROLES binded to both jax-rs urls and JSP urls.
- Based on 2, jax-rs services can be called directly outside, but user/pw is required as you specified.
Hope this can help you a bit.
回答2:
Think cxf security validation as any other http or https validation. you have to intercept the request and pass it to the rest service. You can use any of the tools like siteminder, else can write CXF interceptor to do your own security validation. In the interceptor you can call SSO kind of token generator server in case you have the infrastucture or call the DB if your architecture is built that way. You can use caching to reduce the resource hits and can look at custom or hibernate cache. enabling Https has to be done in server configuration. If you have certificate , you can use the same else you can generate your own using openssl.
来源:https://stackoverflow.com/questions/11343996/handle-authentication-and-authorization-in-jax-rs-webservice-with-cxf