英文:
How to get a header value in a RestController and pass it to the parent controller
问题
我是新手使用spring-boot,对Web服务也不太了解。
我想在一个(抽象的)通用RestController中实现授权过程,该过程应该从扩展控制器获取basic-auth头的内容,然后执行授权。
类似于这样:
public class GenericController
{
// 构造函数
protected GenericController(String basicAuth) throws MalformedURLException, ProtocolException, IOException
{
// 检查用户是否能执行操作
}
}
@RestController
@RequestMapping("/users")
public class UserController extends GenericController
{
private static final Logger logger = LoggerFactory.getLogger(UserController.class);
// 构造函数
protected UserController() throws MalformedURLException, ProtocolException, IOException
{
// 以某种方式从头部获取基本身份验证信息并将其传递给父类的构造函数
basicAuth = ???
super(basicAuth);
}
@GetMapping("/user/{cn}")
public String getUser(@PathVariable String cn)
{
logger.error("Start getUser(...): cn=" + cn);
}
}
我应该如何做到这一点?(这种做法是否可行?)
补充信息:
我的Web服务本身也是其他Web服务的消费者。
一旦调用用户被授权“使用”我的Web服务,我必须将Basic Authentication转发/设置到我调用的Web服务的请求中。
那么,我应该在何处拦截和获取调用我的服务时的标头呢?
英文:
I'm new to spring-boot and quite new to web services.
I would like to implement an authorization process in an (abstract) generic RestController which should get the content of the basic-auth. header from the extending controllers and then perform the authorization.
Something like that:
public class GenericController
{
// Constructor
protected GenericController(String basicAuth) throws MalformedURLException, ProtocolException, IOException
{
// check user can execute action
}
}
@RestController
@RequestMapping( "/users" )
public class UserController extends GenericController
{
private static final Logger logger = LoggerFactory.getLogger(UserController.class);
// Constructor
protected UserController() throws MalformedURLException, ProtocolException, IOException
{
// somehow get the basic auth information from header and pass it to the parent's constructor
basicAuth = ???
super(basicAuth);
}
@GetMapping( "/user/{cn}" )
public String getUser( @PathVariable String cn )
{
logger.error("Start getUser(...): cn=" + cn);
}
How can I do that? (is that even possible?)
ADDED INFORMATION:
My web services are themselves consumers of other web services.
Once the calling user is authorized to "use" my web services I have to forward/set the Basic Authentication into the request for the web services I call.
So, how/where can I "intercept" and get the headers when my services are called?
答案1
得分: 0
可以使用HttpServletRequest从请求中获取头信息。
protected UserController(HttpServletRequest httpServletRequest) throws MalformedURLException, ProtocolException, IOException
{
System.out.println(httpServletRequest.getHeaders("key name"));
// 以某种方式从头信息中获取基本身份验证信息,并将其传递给父类的构造函数
basicAuth = ???
super(basicAuth);
}
英文:
You can use HttpServletRequest to get the header from the request.
protected UserController(HttpServletRequest httpServletRequest) throws MalformedURLException, ProtocolException, IOException
{
System.out.println( httpServletRequest.getHeaders("key name"));
// somehow get the basic auth information from header and pass it to the parent's constructor
basicAuth = ???
super(basicAuth);
}
答案2
得分: 0
我建议您查看Spring Security框架。有许多教程展示了如何配置它来执行基本身份验证,例如:这里。
主要思想是将身份验证/授权问题与控制器和业务逻辑代码解耦。为了实现这一点,使用过滤器拦截每个请求并根据不同条件对其进行验证。在实现无状态的REST服务(每个请求独立于其他请求)时,这并不那么困难。在处理会话时,逻辑将变得更加复杂。Spring Security实现了由多个过滤器组成的过滤器链,每个过滤器执行其自身的检查。
Spring Security在基于Spring的项目中经常被使用,绝对值得一看,尽管初次接触可能会感到有些困难。
英文:
I would recommend to take a look at Spring Security framework. There are many tutorials showing how to configure it to perform basic authentication, e.g.: here.
The main idea is decoupling authentication / authorization concerns from controllers and business logic code. To implement this filters are used which intercept every request and validate it against different conditions. When implementing stateless REST-service (each request independent from others) it's not so difficult. When handling sessions, logic will become much more complicated. Spring Security implements filter chains, consisting of multiple filters, each performing its own checks.
Spring Security is used very often in spring-based projects and is definitely worth to look at, although it may seem a bit difficult when meeting it for the first time.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论