Quarkus基于注解的拦截器,带有非可选参数

huangapple go评论80阅读模式
英文:

Quarkus Annotation-Based Interceptor with Non-Optional Arguments

问题

这似乎是一个热门话题,基于提出的问题数量,但是我尚未找到我正在寻找的答案。我想在我的 Quarkus 应用中实现一个简单的授权服务,但我似乎一遍又一遍地重复着代码。

基本上,我从授权 HTTP 标头中获取 JWT,然后检查其中提供的角色是否足以访问我的终端点:

public void someApiCall(@Context HttpHeaders headers) {
    authService.validate(ApiToken.SOME_API_CALL, headers); // 未经授权时抛出异常
    
    //…
}

现在,我认为这看起来很笨拙,我不喜欢我需要为每个单独的 Http 终端点添加的额外参数。我已经研究了一些关于 AOP 的资料,并且知道如何添加一个拦截器,该拦截器可以通过一个注解验证 Http 标头,该注解将应用于我的方法:

@Authorize
public void someApiCall(/*…*/) { /*…*/ }

问题是,我不知道如何将参数传递到此注解中,以指定所需的角色。我想要类似这样的东西:

@Authorize(UserRole.SYSADMIN)

这似乎非常简单,但我无法弄清楚。在下面,您将找到拦截器和注解类(当然缺少所需的角色):

Authorize.java

@Retention(value=RUNTIME)
@Target(value=METHOD)
public @interface Authorize {}

AuthorizeInterceptor.java

@Interceptor
@Priority(3000)
@Authorize
public class AuthorizeInterceptor {

    @Inject
    AuthorizationService authService;

    @AroundInvoke
    public void validateRole(InvokationContext ctx) {
        authService.validate(ApiToken.ALL, ((RestEndpoint)ctx.getTarget()).getHttpHeaders());
    }
}

RestEndpoint.java

public class RestEndpoint {
    
    @Context
    HttpHeaders headers;

    public HttpHeaders getHttpHeaders() { return headers; }
}

SomeResource.java

public class SomeResource extends RestEndpoint {

    @GET
    @Authorize
    public Object someApiCall() {
        /* 直接编写代码 */
    }
}

因此,总之,在我写 @Authorize 的地方,我想要写成 @Authorize(UserRole.SOME_ROLE)。提前谢谢!

英文:

This seems to be a hot topic based on the amount of questions asked but I have not found the answer I am looking for just yet. I want to implement a simple authorization service in my Quarkus app, but I seem to be repeating code over and over again.

Basically, I take in the JWT from the Authorization Http header and check if the role supplied in it is sufficient to access my endpoint:

public void someApiCall(@Context HttpHeaders headers) {
    authService.validate(ApiToken.SOME_API_CALL, headers); // Throws an exception when unauthorized
    
    //…
}

Now, I think this looks really clunky and I do not like the additional parameter that I need for every single Http endpoint. I have done some research into AOP and know how to add an interceptor which could validate the Http headers through an annotation which would be applied to my method:

@Authorize
public void someApiCall(/*…*/) { /*…*/ }

The issue is, I do not know how to pass in arguments into this annotation to specify the required role. I want something like this:

@Authorize(UserRole.SYSADMIN)

This seems pretty simple but I cannot figure it out. Below you will find the interceptor and annotation classes (Missing the required role of course):

Authorize.java

@Retention(value=RUNTIME)
@Target(value=METHOD)
public @interface Authorize {}

AuthorizeInterceptor.java

@Interceptor
@Priority(3000)
@Authorize
public class AuthorizeInterceptor {

    @Inject
    AuthorizationService authService;

    @AroundInvoke
    public void validateRole(InvokationContext ctx) {
        authService.validate(ApiToken.ALL, ((RestEndpoint)ctx.getTarget()).getHttpHeaders());
    }
}

RestEndpoint.java

public class RestEndpoint {

    @Context
    HttpHeaders headers;

    public HttpHeaders getHttpHeaders() { return headers; }
}

SomeResource.java

public class SomeResource extends RestEndpoint {

    @GET
    @Authorize
    public Object someApiCall() {
        /* do code directly */
    }
}

So, in conclusion, where I write @Authorize, I want to have @Authorize(UserRole.SOME_ROLE).

Thanks in advance!

答案1

得分: 2

所以,我成功地找到了解决方法。原来并不是那么困难,我只是不知道该去哪里找。

以下是修改后的类:

Authorize.java

@InterceptorBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface Authorize {
    // Nonbinding 非常重要。它使得拦截器会在不考虑值的情况下触发
    @Nonbinding ApiToken value();
}

AuthorizeInterceptor.java

@Interceptor
@Priority(3000)
@Authorize(ApiToken.NULL)
public class AuthorizeInterceptor {
    /* 字段 */

    public Object validate(InvokationContext ctx) throws Exception {
        authService.validate(/* 保持不变 */);
        return ctx.proceed();
    }
}

SomeResource.java

public class SomeResource {
    @GET
    @Authorize(ApiToken.SOME_API_CALL)
    public Object someApiCall() { /* 实现 */ }
}

正如Turing85所指出的,JavaEE中已经存在一个类似的API,它以相同的方式实现了授权功能。

英文:

So, I managed to figure it out. It turns out that it isn't that hard, I just didn't know where to look.

Here are the modified classes:

Authorize.java

@InterceptorBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface Authorize {
    // Nonbinding is very important. It makes the interceptor fire regardless of the value
    @Nonbinding ApiToken value();
}

AuthorizeInterceptor.java

@Interceptor
@Priority(3000)
@Authorize(ApiToken.NULL)
public class AuthorizeInterceptor {
    /* fields */

    public Object validate(InvokationContext ctx) throws Exception {
        authService.validate(/* stays the same */);
        return ctx.proceed();
    }
}

SomeResource.java

public class SomeResource {
    @GET
    @Authorize(ApiToken.SOME_API_CALL)
    public Object someApiCall() { /* implementation */ }
}

As Turing85 pointed out, a similar API already exists in JavaEE which implements the authorization functionality in the same way.

huangapple
  • 本文由 发表于 2020年8月14日 23:27:27
  • 转载请务必保留本文链接:https://go.coder-hub.com/63415713.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定