Geek Answers Handbook

Embedding a principal in a resource method in RESTEasy with Guice

I am developing a REST API using RESTEasy with Guice, and at the moment I am trying to enable basic authentication using an annotation similar to @Auth found in Dropwizard. WITH

@Path("hello") public class HelloResource { @GET @Produces("application/json") public String hello(@Auth final Principal principal) { return principal.getUsername(); } }

the hello resource call must be intercepted by some code that performs basic authentication using the credentials provided in the header of the HTTP authorization request, and if the principal is successfully implemented in the main parameter of the method. I would also like to be able to pass the list of allowed roles to the annotation, for example. @Auth("admin") .

I really need advice, in which direction should I go in order to achieve this?

+6
source share
1 answer

I think your best bet would be to use an intermediate value in the query area. Assuming that you did not put HelloResource in a single-user area, you can enter this intermediate value in some implementation of ContainerRequestFilter and in your resource, and you can fill it inside this implementation of ContainerRequestFilter all the necessary information for authorization and authorization.

It will look something like this:

 // Authentication filter contains code which performs authentication // and possibly authorization based on the request @Provider public class AuthFilter implements ContainerRequestFilter { private final AuthInfo authInfo; @Inject AuthFilter(AuthInfo authInfo) { this.authInfo = authInfo; } @Override public void filter(ContainerRequestContext requestContext) throws IOException { // You can check request contents here and even abort the request completely // Fill authInfo with the data you need Principal principal = ...; // Ask some other service possibly authInfo.setPrincipal(principal); } } @Path("hello") public class HelloResource { private final AuthInfo authInfo; @Inject HelloResource(AuthInfo authInfo) { this.authInfo = authInfo; } @GET @Produces("application/json") public String hello() { // authInfo here will be pre-filled with the principal, assuming // you didn't abort the request in the filter return authInfo.getPrincipal().getUsername(); } } public class MainModule extends AbstractModule { @Override protected void configure() { bind(AuthFilter.class); bind(HelloResource.class); bind(AuthInfo.class).in(RequestScoped.class); } }

And even if for some reason you put a resource (or even a filter) in a single-window area, you can always enter Provider<AuthInfo> instead of AuthInfo .

Update

It seems that I was somewhat wrong that the default filter is not in a single area. In fact, it looks like a singleton, although it is not connected as such. It is created when the JAX-RS container starts. Therefore, you need to enter Provider<AuthInfo> in the filter. In fact, starting the container will fail if AuthInfo is entered into the filter directly, being associated with the scope request. The resource (unless it is explicitly attached as a singleton) will be fine with direct injection, though.

I downloaded the working program on github .

+7
source

More articles:


All Articles