java - Jersey client using an authenticated session -

-

in given moment in time authenticated session created.

i need create jersey client (post method) using authenticated session.

i've tried set jsessionid in jersey client doesn't recognize session.

    client client = client.create();      final string url = "http://localhost:8080/api/send";      webresource wr = client.resource(url);      javax.ws.rs.core.cookie cookie=new javax.ws.rs.core.cookie("jsessionid", "521448844j5we54d");     wr.cookie(cookie);      // set post parameters     formdatamultipart multipart = new formdatamultipart();     formdatabodypart fdp = new formdatabodypart("file", uploadedinputstream, mediatype.multipart_form_data_type);     multipart.bodypart(fdp);      string response = wr.type(mediatype.multipart_form_data_type).post(string.class, multipart);      system.out.println(response);

i've tried code below, in jersey client call first api authenticate session , try use same client object call api require auth session, didn't work.

    client client = client.create();      final string url = "http://localhost:8080/api/auth";      webresource wr = client.resource(url);       //set parametes request     multivaluedmap<string, string> queryparams = new multivaluedmapimpl();     queryparams.add("user", "admin");     queryparams.add("pass", "123456");     wr.queryparams(queryparams);      clientresponse response = wr.type(mediatype.multipart_form_data_type).post(clientresponse.class);      system.out.println(response.getcookies().tostring());      //------------------------------------------------------------      final string url2 = "http://localhost:8080/api/send";      webresource wr2 = client.resource(url2);      // set post parameters     formdatamultipart multipart = new formdatamultipart();      formdatabodypart fdp = new formdatabodypart("file", uploadedinputstream, mediatype.multipart_form_data_type);     multipart.bodypart(fdp);      string response2 = wr2.type(mediatype.multipart_form_data_type).post(string.class, multipart);      system.out.println(response2);

how can ? mean, how use authenticated jsessionid in new jersey client connection ?

regards.

i think best way use jwt user authorization.

i assuming have authenticated user via api endpoint. once user authenticated, can reply header element. can read more jwt @ https://jwt.io/introduction/

your implementation should following steps.

1) authenticate user , upon successful authentication, add "authorization: " token response.

2) in every api call, expect user pass authorization header each request , use filter authorize user parsing jwt token. may want @inject parser , make sure parser threadsafe.

3-a) if jwt token valid, let request pass through resource.

3-b) if jwt token invalid, reply wit http 401.

here sample implementation. 

import com.google.inject.inject; import com.nimbusds.jose.joseexception; import com.nimbusds.jose.proc.badjoseexception; import com.nimbusds.jose.proc.securitycontext; import com.nimbusds.jwt.jwt; import com.nimbusds.jwt.jwtclaimsset; import com.nimbusds.jwt.jwtparser; import com.nimbusds.jwt.proc.configurablejwtprocessor; import org.slf4j.logger; import org.slf4j.loggerfactory;  import javax.annotation.priority; import javax.ws.rs.priorities; import javax.ws.rs.webapplicationexception; import javax.ws.rs.container.containerrequestcontext; import javax.ws.rs.container.containerrequestfilter; import javax.ws.rs.container.prematching; import javax.ws.rs.core.multivaluedmap; import javax.ws.rs.core.response; import javax.ws.rs.ext.provider; import java.io.ioexception; import java.text.parseexception;   @prematching @priority(priorities.authentication) @provider @secured public class simpleauthorizationfilter implements containerrequestfilter {   static jwtparser jwtparser = null;   private static final logger logger = loggerfactory.getlogger(simpleauthorizationfilter.class);   @inject  private configurablejwtprocessor jwtprocessor;   public simpleauthorizationfilter() {   logger.debug("init {}", getclass().getname());  }   @override  public void filter(containerrequestcontext requestcontext) throws ioexception {    if (logger.isdebugenabled()) {    logger.debug("began authorization filter {}", requestcontext.geturiinfo().getpath());   }    multivaluedmap < string, string > headers = requestcontext.getheaders();    jwt jwt = null;    if (headers.containskey(accesstokens.authorization)) {     string accesstoken = headers.getfirst(accesstokens.authorization);      try {     jwt = jwtparser.parse(accesstoken);    } catch (parseexception parseexception) {     logger.error("unable parse jwt token {}, reason {}", requestcontext.geturiinfo().getpath(), parseexception.getmessage());     throw new webapplicationexception("unable parse jwt token", response.status.unauthorized);     }      // check if jwt has been init successfully.    if (jwt == null) {     logger.error("jwt null {}", requestcontext.geturiinfo().getpath());     throw new webapplicationexception("unable init jwt", response.status.unauthorized);    }      try {      if (jwt.getjwtclaimsset().getexpirationtime().before(new java.util.date())) {      logger.debug("jwt token expired on {}, requesting new token ", jwt.getjwtclaimsset().getexpirationtime().tostring());      } else {      // nothing, continue usual.     }     } catch (parseexception e) {     logger.error("authorization failed @ {} , due {}", requestcontext.geturiinfo().getpath(), e.getmessage());     throw new webapplicationexception("unable authorize " + e.getmessage(), response.status.unauthorized);    }      securitycontext ctx = null; // optional context parameter, not required here     jwtclaimsset claimsset = null;      try {     claimsset = jwtprocessor.process(accesstoken, ctx);    } catch (parseexception e) {     logger.error("authorization failed @ parseexception {} , due {}", requestcontext.geturiinfo().getpath(), e.getmessage());     throw new webapplicationexception("unable authorize " + e.getmessage(), response.status.unauthorized);    } catch (badjoseexception e) {     logger.error("authorization failed @ badjoseexception {} , due {}", requestcontext.geturiinfo().getpath(), e.getmessage());     throw new webapplicationexception("unable authorize " + e.getmessage(), response.status.unauthorized);    } catch (joseexception e) {     logger.error("authorization failed @ joseexception {} , due {}", requestcontext.geturiinfo().getpath(), e.getmessage());     throw new webapplicationexception("unable authorize " + e.getmessage(), response.status.unauthorized);    }      // should not have happened.    if (claimsset == null) {     logger.error("jwt claim null failed @ {} , due {}", requestcontext.geturiinfo().getpath());     throw new webapplicationexception("unable authorize", response.status.unauthorized);    }    } else {    logger.error("authorization header missing {}", requestcontext.geturiinfo().getpath());    throw new webapplicationexception("authorization header missing", response.status.unauthorized);   }    }  }

i created annotation @secured , resource method annotated @secured greeted first filter.

here annotation:

import javax.ws.rs.namebinding; import java.lang.annotation.retention; import java.lang.annotation.target;  import static java.lang.annotation.elementtype.method; import static java.lang.annotation.elementtype.type; import static java.lang.annotation.retentionpolicy.runtime;  @namebinding @retention(runtime) @target({type, method}) public @interface secured { }

then created dynamicfeature as:

import org.slf4j.logger; import org.slf4j.loggerfactory;  import javax.ws.rs.container.dynamicfeature; import javax.ws.rs.container.resourceinfo; import javax.ws.rs.core.featurecontext; import javax.ws.rs.ext.provider;  @provider public class resourcefilterbindingfeature implements dynamicfeature {      private static final logger logger = loggerfactory.getlogger(resourcefilterbindingfeature.class);      @override     public void configure(resourceinfo resourceinfo, featurecontext context) {         if (resourceinfo.getresourcemethod().isannotationpresent(secured.class)) {             logger.info("{} annotated secure method " , resourceinfo.getresourcemethod().getname() );             context.register(customauthorizationfilter.class);         }      } }

you need register above dyamicfeature in jersey as

register(simpleauthorizationfilter.class)

finally, here resource used test

import javax.annotation.security.rolesallowed; import javax.ws.rs.consumes; import javax.ws.rs.get; import javax.ws.rs.path; import javax.ws.rs.produces; import javax.ws.rs.core.mediatype; import javax.ws.rs.core.response;   @path("/authorizationtest") @consumes({mediatype.application_json}) @produces({mediatype.application_json}) public class authorizationtest {      @get     @path("/secure")     @secured     public response secure(){          return response.ok(mediatype.application_json).build();     }      @get     @path("/unsecure")     public response unsecure(){         return response.ok(mediatype.application_json).build();      }  }

hope helps.


Comments

Post a Comment

Popular posts from this blog

Fail to load namespace Spring Security http://www.springframework.org/security/tags -

-
i have problem namespace of spring security on xhtml page. don't understand why can't load uri, , have following issue: whitelabel error page application has no explicit mapping /error, seeing fallback. tue jul 21 16:58:12 utc 2015 there unexpected error (type=not found, status=404). please need help! possible uri has been changed? best regards you using incorrect namespace url. correct url http://www.springframework.org/schema/security the error page seeing spring source website since not recognize url. try visiting http://www.springsource.org/security/tags in browser update : spring security tags used in jsp page correct tag lib declaration is: <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
Read more

sql - MySQL query optimization using coalesce -

-
can explain me why second query faster first? (first 1 takes around 40 seconds, second 1 less 0.1) select releases.feature_code, releases.platform_id, version, release_date, general_available, uri, filesize, display_name, feature_name.full_name, if ((select exists(select 1 release_exceptions releases.feature_code = release_exceptions.feature_code , releases.platform_id = release_exceptions.platform_id , releases.version = release_exceptions.version) = 1), 1, 0) release_exceptions releases left outer join platform using(platform_id) left outer join feature_name using(feature_code) order version desc; ~~~ query 2 ------------------ ~~~ select feature_code, version, release_date, general_available, platform_id, uri, filesize, display_name, feature_name.full_name, coalesce(release_exceptions, 0) release_exceptions mus.releases left outer join ( select distinct feature_code, version, platform_id, 1 release_exceptions mus.release_exceptions ) release_exceptions using ...
Read more

unity3d - Unity local avoidance in user created world -

-
i'm using unity3d networked multiplayer online game have large complex 3d terrain scene forest, trees, cliff, hills, mountains, bounders, etc. players can build structures sort of minecraft, , put them anywhere in scene, or move them around anytime. aside human controlled players, there automated ai players , objects animals roaming around scene following path. the problem how make these automated ai players , animals, able navigate around static , dynamic player created structures, because path follow can blocked player created structures, or other players , other ai objects, cliffs etc. have find away around them or on track if tumble down off high cliff example. so made navmesh , used navagents, takes care of static, non moving objects, how make ai players navigate around each other , dynamic structures created players can number in hundreds? i thought of adding navmeshobstacle everything, result in being attached hundreds of objects since user created structures b...
Read more