HTTP基本セキュリティを使用したJersey Rest Service

Question

Weblogic 12cで実行中のJerseyを使用してHTTP基本認証を取得する方法を調べるのに、ほぼ4日間を費やしました。

私は私が欲しいものについて非常に接近しているこれらのチュートリアルを発見した：

http://www.codingpedia.org/ama/how-to-secure-jersey-rest-services-with-spring-security-and-basic-authentication/

https://github.com/JohnathanMarkSmith/springmvc-rest-secured-test

私は、WebLogic 12cは使用しています、これらは私の春のXMLセキュリティです：

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans xmlns="http://www.springframework.org/schema/security" 
      xmlns:beans="http://www.springframework.org/schema/beans" 
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      xsi:schemaLocation="http://www.springframework.org/schema/beans 
         http://www.springframework.org/schema/beans/spring-beans-3.2.xsd 
         http://www.springframework.org/schema/security 
         http://www.springframework.org/schema/security/spring-security-3.2.xsd"> 

    <global-method-security pre-post-annotations="enabled"/> 

    <!-- Stateless RESTful services use BASIC authentication --> 
    <http create-session="stateless"      
        pattern="/rest/**" 
        authentication-manager-ref="myAuthenticationManager"> 
     <intercept-url pattern="/rest/**" access="ROLE_REST"/> 
     <http-basic/> 
    </http> 

    <authentication-manager alias="myAuthenticationManager"> 
     <authentication-provider ref="myAuthenticationProvider">  
     </authentication-provider> 
    </authentication-manager> 



    <beans:bean id="myAuthenticationProvider" 
       class="com.siman.store.mobile.service.security.AuthLdapSiman" /> 

</beans:beans> 

web.xml

<?xml version="1.0" encoding="UTF-8"?> 
<web-app version="2.5" 
     xmlns="http://java.sun.com/xml/ns/javaee" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
    http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> 



    <servlet> 
     <servlet-name>jersey-serlvet</servlet-name> 
     <servlet-class> 
      com.sun.jersey.spi.container.servlet.ServletContainer 
     </servlet-class> 
     <!-- Paquete en el que estan servicios --> 
     <init-param> 
      <param-name>com.sun.jersey.config.property.packages</param-name> 
      <param-value>com.siman.rms.ipow.web.service.rest</param-value> 
     </init-param> 
     <init-param> 
      <param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name> 
      <param-value>true</param-value> 
     </init-param> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>jersey-serlvet</servlet-name> 
     <url-pattern>/rest/*</url-pattern> 
    </servlet-mapping> 


</web-app> 

のpom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 
    <modelVersion>4.0.0</modelVersion> 

    <groupId>com.siman.rms.ipow</groupId> 
    <artifactId>rms-ipow-service</artifactId> 
    <version>1.0.0</version> 
    <packaging>war</packaging> 

    <name>rms-ipow-service</name> 


    <properties> 
     <endorsed.dir>${project.build.directory}/endorsed</endorsed.dir> 
    </properties> 

    <dependencies> 
     <dependency> 
      <groupId>javax</groupId> 
      <artifactId>javaee-web-api</artifactId> 
      <version>6.0</version> 
      <scope>provided</scope> 
     </dependency> 

     <dependency> 
      <groupId>log4j</groupId> 
      <artifactId>log4j</artifactId> 
      <version>1.2.16</version> 
     </dependency> 

     <dependency> 
      <groupId>com.sun.jersey</groupId> 
      <artifactId>jersey-server</artifactId> 
      <version>1.19</version> 
     </dependency> 

     <dependency> 
      <groupId>com.sun.jersey</groupId> 
      <artifactId>jersey-json</artifactId> 
      <version>1.8</version> 
     </dependency> 


    </dependencies> 

    <build> 
     <plugins> 
      <plugin> 
       <groupId>org.apache.maven.plugins</groupId> 
       <artifactId>maven-compiler-plugin</artifactId> 
       <version>2.3.2</version> 
       <configuration> 
        <source>1.6</source> 
        <target>1.6</target> 
        <compilerArguments> 
         <endorseddirs>${endorsed.dir}</endorseddirs> 
        </compilerArguments> 
       </configuration> 
      </plugin> 
      <plugin> 
       <groupId>org.apache.maven.plugins</groupId> 
       <artifactId>maven-ejb-plugin</artifactId> 
       <version>2.3</version> 
       <configuration> 
        <ejbVersion>3.1</ejbVersion> 
        <clientIncludes> 
         <archive>log4j.properties</archive> 
        </clientIncludes> 
       </configuration> 
      </plugin> 

      <plugin> 
       <groupId>org.apache.maven.plugins</groupId> 
       <artifactId>maven-dependency-plugin</artifactId> 
       <version>2.1</version> 
       <executions> 
        <execution> 
         <phase>validate</phase> 
         <goals> 
          <goal>copy</goal> 
         </goals> 
         <configuration> 
          <outputDirectory>${endorsed.dir}</outputDirectory> 
          <silent>true</silent> 
          <artifactItems> 
           <artifactItem> 
            <groupId>javax</groupId> 
            <artifactId>javaee-endorsed-api</artifactId> 
            <version>6.0</version> 
            <type>jar</type> 
           </artifactItem> 
          </artifactItems> 
         </configuration> 
        </execution> 
       </executions> 
      </plugin> 

     </plugins> 
    </build> 

</project> 

設定は、少なくともそれが動作しているが、私は、なぜ私はgithubのにmantionedている例をテストしてきた「認証プロバイダ」を動作していないかわからない

プロジェクトですが、それはtomcatで実行されています。

私は、ブラウザでURLをテストし

：

http://localhost:7003/store-mobile-service/rest/some

が、それはHTTP認証ダイアログを促し、それが形に私が与えるユーザーを取っていない、ログが表示されます。

2016-06-28 11:18:14 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/rest/some'; against '/rest/**' 
2016-06-28 11:18:14 DEBUG FilterChainProxy:337 - /rest/some at position 1 of 7 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
2016-06-28 11:18:14 DEBUG FilterChainProxy:337 - /rest/some at position 2 of 7 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 
2016-06-28 11:18:14 DEBUG FilterChainProxy:337 - /rest/some at position 3 of 7 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 
2016-06-28 11:18:14 DEBUG FilterChainProxy:337 - /rest/some at position 4 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
2016-06-28 11:18:14 DEBUG FilterChainProxy:337 - /rest/some at position 5 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
2016-06-28 11:18:14 DEBUG AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 192.168.24.79; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 
2016-06-28 11:18:14 DEBUG FilterChainProxy:337 - /rest/some at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 
2016-06-28 11:18:14 DEBUG FilterChainProxy:337 - /rest/some at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 
2016-06-28 11:18:14 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/rest/some'; against '/rest/**' 
2016-06-28 11:18:14 DEBUG FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL: /rest/some; Attributes: [ROLE_REST] 
2016-06-28 11:18:14 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 192.168.24.79; SessionId: null; Granted Authorities: ROLE_ANONYMOUS 
2016-06-28 11:18:14 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.access.vote.RoleVoter@52d222cf, returned: -1 
2016-06-28 11:18:14 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.access.vote.AuthenticatedVoter@a0cdfde, returned: 0 
2016-06-28 11:18:14 DEBUG ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point 
org.springframework.security.access.AccessDeniedException: Access is denied 
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) 
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206) 
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115) 
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) 
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) 
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) 
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) 
    at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) 
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) 
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) 
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) 
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) 
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) 
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) 
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) 
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79) 
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3367) 
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3333) 
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) 
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) 
    at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57) 
    at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2220) 
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2146) 
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2124) 
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1564) 
    at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254) 
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:295) 
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:254) 
2016-06-28 11:18:14 DEBUG ExceptionTranslationFilter:185 - Calling Authentication entry point. 
2016-06-28 11:18:14 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed 

Answer 1

私も同じ問題を抱えています。クライアントをどのように設定したかに応じて、クライアントを動作させることができました。

非作業バージョン：答えて他人のために

Client client = ClientBuilder.newClient(cc); 
    Response response = client.target(baseurl) 
      .path(targetUrl) 
      .request() 
      .property(org.glassfish.jersey.client.authentication.HttpAuthenticationFeature.HTTP_AUTHENTICATION_BASIC_USERNAME, USER) 
      .property(org.glassfish.jersey.client.authentication.HttpAuthenticationFeature.HTTP_AUTHENTICATION_BASIC_PASSWORD, PASS) 
      .accept(MediaType.APPLICATION_JSON) 
      .get(); 

ワーキングバージョン

HttpAuthenticationFeature f = HttpAuthenticationFeature 
                .basicBuilder() 
                .nonPreemptive() 
                .credentials(USER, PASS) 
                .build(); 
     ClientConfig cc = new ClientConfig(); 
     cc.register(f); 

     client = ClientBuilder.newClient(cc); 
     Response response = client.target(baseurl).path(targetUrl).request().accept(MediaType.APPLICATION_JSON) 
       .get(); 

。私はいくつかの質問があります。

1. なぜ匿名認証チェーンが起動しますか？
2. 匿名フィルタチェーンを無効にするにはどうすればよいですか？