users@jersey.java.net

Re: [Jersey] Getting ready for 1.0.2 (WAS: Re: [Jersey] Extract ResourceDoclet from maven-wadl-plugin as new artifact)

From: Craig McClanahan <Craig.McClanahan_at_Sun.COM>
Date: Thu, 05 Feb 2009 09:10:55 -0800

Paul Sandoz wrote:
> On Feb 5, 2009, at 11:21 AM, Paul Sandoz wrote:
>>>> Craig, what do you think?
>>> That sounds really good ... I'll take it on (along with using
>>> resource specific filters).
>>
>> I just realized that the way things are currently supported you will
>> need supply two injectable provider implements for the per request
>> and singleton scope (where the latter injects a proxy) and there are
>> currently some ordering issues in that the latter cannot currently be
>> overridden by the user.
>>
>> Since this is something that seems highly desirable i am going to
>> tweak the ContainerRequest so that a SecurityContext implementation
>> can be set. That way the filter can do:
>>
>> request.setSecurityContext(...)
>>
>
> Fixed in the trunk. See below for a unit test exercising a very
> similar use-case.
>
This looks great. I will update the sample atom+abdera application to
use this approach.
> Paul.
Craig

>
> import com.sun.jersey.api.client.Client;
> import com.sun.jersey.api.client.ClientResponse;
> import com.sun.jersey.api.client.WebResource;
> import
> com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory;
> import com.sun.jersey.api.core.ResourceConfig;
> import com.sun.jersey.spi.container.ContainerRequest;
> import com.sun.jersey.spi.container.ContainerRequestFilter;
> import java.security.Principal;
> import java.util.HashMap;
> import java.util.Map;
> import javax.annotation.security.RolesAllowed;
> import javax.ws.rs.GET;
> import javax.ws.rs.POST;
> import javax.ws.rs.Path;
> import javax.ws.rs.core.Context;
> import javax.ws.rs.core.SecurityContext;
> import javax.ws.rs.core.UriInfo;
>
> /**
> *
> * @author Paul.Sandoz_at_Sun.Com
> */
> public class RolesAllowedTest extends AbstractGrizzlyWebContainerTester {
>
> public static class SecurityFilter implements
> ContainerRequestFilter {
>
> @Context UriInfo ui;
>
> public ContainerRequest filter(ContainerRequest request) {
> String user = request.getHeaderValue("X-USER");
> request.setSecurityContext(new Authenticator(user));
> return request;
> }
>
> //
>
> public class Authenticator implements SecurityContext {
> private Principal p;
>
> Authenticator(final String name) {
> p = new Principal() {
> public String getName() {
> return name;
> }
> };
> }
>
> public Principal getUserPrincipal() {
> return p;
> }
>
> public boolean isUserInRole(String role) {
> if (role.equals("user")) {
> if ("admin".equals(p.getName()))
> return true;
>
> String user = ui.getPathParameters().getFirst(role);
> return user.equals(p.getName());
> } else if (role.equals("admin")) {
> return role.equals(p.getName());
> } else {
> return false;
> }
> }
>
> public boolean isSecure() {
> return false;
> }
>
> public String getAuthenticationScheme() {
> return "";
> }
> }
> }
>
> @Path("/{user}")
> public static class Resource {
> @RolesAllowed("user")
> @GET
> public String get() { return "GET"; }
>
> @RolesAllowed("admin")
> @POST
> public String post(String content) { return content; }
> }
>
> public RolesAllowedTest(String testName) {
> super(testName);
> }
>
> WebResource r;
>
> @Override
> public void setUp() {
> Map<String, String> initParams = new HashMap<String, String>();
> initParams.put(ResourceConfig.PROPERTY_CONTAINER_REQUEST_FILTERS,
> SecurityFilter.class.getName());
> initParams.put(ResourceConfig.PROPERTY_RESOURCE_FILTER_FACTORIES,
> RolesAllowedResourceFilterFactory.class.getName());
> startServer(initParams, Resource.class);
>
> Client c = Client.create();
> r = c.resource(getUri().build());
> }
>
> public void testGetAsUser() {
> assertEquals("GET", r.path("foo").header("X-USER",
> "foo").get(String.class));
> }
>
> public void testGetAsAdmin() {
> assertEquals("GET", r.path("foo").header("X-USER",
> "admin").get(String.class));
> }
>
> public void testPostAsUser() {
> ClientResponse cr = r.path("foo").header("X-USER",
> "foo").post(ClientResponse.class, "POST");
> assertEquals(403, cr.getStatus());
> }
>
> public void testPostAsAdmin() {
> assertEquals("POST", r.path("foo").header("X-USER",
> "admin").post(String.class, "POST"));
> }
> }
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>