author said I can create a filter similar to "SecurityContextFilter" as he explained. I don't know how to read the injected values in my custom annotation.
For example, for @MyAnnotation("username", "rolename"), How can I get the value of "username" and "rolename" in "MySecurityContextFilter".
Anyone can show me an example? Hope I explained my question clear enough. thanks a lot!
Actually its for authorization. for a request uri: webservice/XXX/{userID}. it should only be accessed by administrator or user(other roles: user, superuser, etc) itself.
So, basically this filter will check the userID and {userID} in URI if they are match and the roles (user or superuser).
Yu Chen wrote:
Actually its for authorization. for a request uri: webservice/XXX/{userID}. it should only be accessed by administrator or user(other roles: user, superuser, etc) itself.
That still does not explain why you want to hard-code usernames in an annotation.
No, I'm not going to hard-code it. the userid will be retrieved from principal through securitycontext.
Actually I borrowed it from the webpage linked in previous post.
"
You can inject the UriInfo to obtain the "username" path parameter.
Your annotation could declare the path parameter name that needs to be
checked, e.g.
@MyRolesChecker("username", "myole");
public String get() { ... }
"
For me, probably @MyAnnotation("rolename") will be enough. the userIDs will be retrieved from pricipal and URI.
Actually I don't know how to create the AuditFilter to read the "Audit" annotation values. I tried to figure it out from the tutorial, but still no clue.
It's in the ResourceFilterFactory class, almost at the end - to every AbstractMethod (an object that goes with a resource method, from what I understand) it adds an AuditFilter if the method is annotated with "@Audit".
If you want a filter to so something about a particular annotation X it's annotated with, or one of its methods or fields are annotated with, then it would do it exactly as that example shows. No main method is required, that can happen in any method, or the constructor. The "AnnotationTest" of the example would be the filter object and class itself.
If you want some external class (not a resource) to do something about a resource class being annotated, then the approach of a ResourceFilterFactory would work - it gets called for each resource filter, no matter what class it is. Obviously it needs to know which annotations to look out for, but that's a reasonable requirement - otherwise there's no way it could do whatever needs doing for each annotation.
2. in <3>
if (securityContext == null) {
// securityContext should be set up in constructor, but still null <3>
securityContext = request.getSecurityContext();
}
securityContext is declared as "private @Context", it suppose to be set up/initialized by jersey after constructor method. Why it is still null and I have to call request.getSecurityContext();
If you can give me some explanation, I really appreciate.
each method has @UserInRoleAllowed annotation will have its own/separate UserInRoleSecurityContextFilter?
It needs to, the way this code works, since the list of allowed roles is encapsulated in the filter. Since each method can have a different set of roles, you need a different filter.
why am.getResource().getAnnotation() not working.
I'm sure it works fine, it just doesn't do what you think it does. Read the comments that go with the two different usages in the example you linked to - they explain the difference.