users@jersey.java.net

Re: [Jersey] Getting ready for 1.0.2 (WAS: Re: [Jersey] Extract ResourceDoclet from maven-wadl-plugin as new artifact)

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Thu, 05 Feb 2009 13:25:11 +0100

On Feb 5, 2009, at 11:21 AM, Paul Sandoz wrote:
>>> Craig, what do you think?
>> That sounds really good ... I'll take it on (along with using
>> resource specific filters).
>
> I just realized that the way things are currently supported you will
> need supply two injectable provider implements for the per request
> and singleton scope (where the latter injects a proxy) and there are
> currently some ordering issues in that the latter cannot currently
> be overridden by the user.
>
> Since this is something that seems highly desirable i am going to
> tweak the ContainerRequest so that a SecurityContext implementation
> can be set. That way the filter can do:
>
> request.setSecurityContext(...)
>

Fixed in the trunk. See below for a unit test exercising a very
similar use-case.

Paul.

import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.WebResource;
import
com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory;
import com.sun.jersey.api.core.ResourceConfig;
import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;

/**
  *
  * @author Paul.Sandoz_at_Sun.Com
  */
public class RolesAllowedTest extends
AbstractGrizzlyWebContainerTester {

     public static class SecurityFilter implements
ContainerRequestFilter {

         @Context UriInfo ui;

         public ContainerRequest filter(ContainerRequest request) {
             String user = request.getHeaderValue("X-USER");
             request.setSecurityContext(new Authenticator(user));
             return request;
         }

         //

         public class Authenticator implements SecurityContext {
             private Principal p;

             Authenticator(final String name) {
                 p = new Principal() {
                     public String getName() {
                         return name;
                     }
                 };
             }

             public Principal getUserPrincipal() {
                 return p;
             }

             public boolean isUserInRole(String role) {
                 if (role.equals("user")) {
                     if ("admin".equals(p.getName()))
                         return true;

                     String user =
ui.getPathParameters().getFirst(role);
                     return user.equals(p.getName());
                 } else if (role.equals("admin")) {
                     return role.equals(p.getName());
                 } else {
                     return false;
                 }
             }

             public boolean isSecure() {
                 return false;
             }

             public String getAuthenticationScheme() {
                 return "";
             }
         }
     }

     @Path("/{user}")
     public static class Resource {
         @RolesAllowed("user")
         @GET
         public String get() { return "GET"; }

         @RolesAllowed("admin")
         @POST
         public String post(String content) { return content; }
     }

     public RolesAllowedTest(String testName) {
         super(testName);
     }

     WebResource r;

     @Override
     public void setUp() {
         Map<String, String> initParams = new HashMap<String, String>();
          
initParams.put(ResourceConfig.PROPERTY_CONTAINER_REQUEST_FILTERS,
                 SecurityFilter.class.getName());
          
initParams.put(ResourceConfig.PROPERTY_RESOURCE_FILTER_FACTORIES,
                 RolesAllowedResourceFilterFactory.class.getName());
         startServer(initParams, Resource.class);

         Client c = Client.create();
         r = c.resource(getUri().build());
     }

     public void testGetAsUser() {
         assertEquals("GET", r.path("foo").header("X-USER",
"foo").get(String.class));
     }

     public void testGetAsAdmin() {
         assertEquals("GET", r.path("foo").header("X-USER",
"admin").get(String.class));
     }

     public void testPostAsUser() {
         ClientResponse cr = r.path("foo").header("X-USER",
"foo").post(ClientResponse.class, "POST");
         assertEquals(403, cr.getStatus());
     }

     public void testPostAsAdmin() {
         assertEquals("POST", r.path("foo").header("X-USER",
"admin").post(String.class, "POST"));
     }
}
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.