英文:
Quarkus Annotation-Based Interceptor with Non-Optional Arguments
问题
这似乎是一个热门话题,基于提出的问题数量,但是我尚未找到我正在寻找的答案。我想在我的 Quarkus 应用中实现一个简单的授权服务,但我似乎一遍又一遍地重复着代码。
基本上,我从授权 HTTP 标头中获取 JWT,然后检查其中提供的角色是否足以访问我的终端点:
public void someApiCall(@Context HttpHeaders headers) {
authService.validate(ApiToken.SOME_API_CALL, headers); // 未经授权时抛出异常
//…
}
现在,我认为这看起来很笨拙,我不喜欢我需要为每个单独的 Http 终端点添加的额外参数。我已经研究了一些关于 AOP 的资料,并且知道如何添加一个拦截器,该拦截器可以通过一个注解验证 Http 标头,该注解将应用于我的方法:
@Authorize
public void someApiCall(/*…*/) { /*…*/ }
问题是,我不知道如何将参数传递到此注解中,以指定所需的角色。我想要类似这样的东西:
@Authorize(UserRole.SYSADMIN)
这似乎非常简单,但我无法弄清楚。在下面,您将找到拦截器和注解类(当然缺少所需的角色):
Authorize.java
@Retention(value=RUNTIME)
@Target(value=METHOD)
public @interface Authorize {}
AuthorizeInterceptor.java
@Interceptor
@Priority(3000)
@Authorize
public class AuthorizeInterceptor {
@Inject
AuthorizationService authService;
@AroundInvoke
public void validateRole(InvokationContext ctx) {
authService.validate(ApiToken.ALL, ((RestEndpoint)ctx.getTarget()).getHttpHeaders());
}
}
RestEndpoint.java
public class RestEndpoint {
@Context
HttpHeaders headers;
public HttpHeaders getHttpHeaders() { return headers; }
}
SomeResource.java
public class SomeResource extends RestEndpoint {
@GET
@Authorize
public Object someApiCall() {
/* 直接编写代码 */
}
}
因此,总之,在我写 @Authorize 的地方,我想要写成 @Authorize(UserRole.SOME_ROLE)。提前谢谢!
英文:
This seems to be a hot topic based on the amount of questions asked but I have not found the answer I am looking for just yet. I want to implement a simple authorization service in my Quarkus app, but I seem to be repeating code over and over again.
Basically, I take in the JWT from the Authorization Http header and check if the role supplied in it is sufficient to access my endpoint:
public void someApiCall(@Context HttpHeaders headers) {
authService.validate(ApiToken.SOME_API_CALL, headers); // Throws an exception when unauthorized
//…
}
Now, I think this looks really clunky and I do not like the additional parameter that I need for every single Http endpoint. I have done some research into AOP and know how to add an interceptor which could validate the Http headers through an annotation which would be applied to my method:
@Authorize
public void someApiCall(/*…*/) { /*…*/ }
The issue is, I do not know how to pass in arguments into this annotation to specify the required role. I want something like this:
@Authorize(UserRole.SYSADMIN)
This seems pretty simple but I cannot figure it out. Below you will find the interceptor and annotation classes (Missing the required role of course):
Authorize.java
@Retention(value=RUNTIME)
@Target(value=METHOD)
public @interface Authorize {}
AuthorizeInterceptor.java
@Interceptor
@Priority(3000)
@Authorize
public class AuthorizeInterceptor {
@Inject
AuthorizationService authService;
@AroundInvoke
public void validateRole(InvokationContext ctx) {
authService.validate(ApiToken.ALL, ((RestEndpoint)ctx.getTarget()).getHttpHeaders());
}
}
RestEndpoint.java
public class RestEndpoint {
@Context
HttpHeaders headers;
public HttpHeaders getHttpHeaders() { return headers; }
}
SomeResource.java
public class SomeResource extends RestEndpoint {
@GET
@Authorize
public Object someApiCall() {
/* do code directly */
}
}
So, in conclusion, where I write @Authorize, I want to have @Authorize(UserRole.SOME_ROLE).
Thanks in advance!
答案1
得分: 2
所以,我成功地找到了解决方法。原来并不是那么困难,我只是不知道该去哪里找。
以下是修改后的类:
Authorize.java
@InterceptorBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface Authorize {
// Nonbinding 非常重要。它使得拦截器会在不考虑值的情况下触发
@Nonbinding ApiToken value();
}
AuthorizeInterceptor.java
@Interceptor
@Priority(3000)
@Authorize(ApiToken.NULL)
public class AuthorizeInterceptor {
/* 字段 */
public Object validate(InvokationContext ctx) throws Exception {
authService.validate(/* 保持不变 */);
return ctx.proceed();
}
}
SomeResource.java
public class SomeResource {
@GET
@Authorize(ApiToken.SOME_API_CALL)
public Object someApiCall() { /* 实现 */ }
}
正如Turing85所指出的,JavaEE中已经存在一个类似的API,它以相同的方式实现了授权功能。
英文:
So, I managed to figure it out. It turns out that it isn't that hard, I just didn't know where to look.
Here are the modified classes:
Authorize.java
@InterceptorBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface Authorize {
// Nonbinding is very important. It makes the interceptor fire regardless of the value
@Nonbinding ApiToken value();
}
AuthorizeInterceptor.java
@Interceptor
@Priority(3000)
@Authorize(ApiToken.NULL)
public class AuthorizeInterceptor {
/* fields */
public Object validate(InvokationContext ctx) throws Exception {
authService.validate(/* stays the same */);
return ctx.proceed();
}
}
SomeResource.java
public class SomeResource {
@GET
@Authorize(ApiToken.SOME_API_CALL)
public Object someApiCall() { /* implementation */ }
}
As Turing85 pointed out, a similar API already exists in JavaEE which implements the authorization functionality in the same way.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论