出于安全原因,给jetty加了一个简单的http basic授权,防止未授权调用,本身服务也是内部调用的,但还是加上了,方式有好几种,我都试了一遍,记录一下
第一种 修改web.xml + java 代码 + 配置文件
加web.xml里面加上这么一段
<security-constraint>
<web-resource-collection>
<web-resource-name>api</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Realm</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
大概意思就是启用basic验证http访问权限,需要admin角色,url匹配/*,也就是全部,如果有需要这里可以配置多个角色,然后再根据url来分开多个角色对应不同的访问权限,我这里没这需求,直接拦截所有的
光上面这段还不行,我的jetty是内嵌使用的,所以直接可以在java代码里面修改配置
ConstraintSecurityHandler securityHandler = (ConstraintSecurityHandler) webapp.getSecurityHandler();
HashLoginService loginService = new HashLoginService("Realm", "/etc/realm.properties");
loginService.setHotReload(true);
BasicAuthenticator basicAuthenticator = new BasicAuthenticator();
securityHandler.setRealmName("Realm");
securityHandler.setAuthenticator(basicAuthenticator);
securityHandler.setLoginService(loginService);
realm.properties
admin: pwd123,admin
格式:用户名: 密码, 角色
第二种 修改 java 代码 + 配置文件
新版的spring mvc可以通过注解,或者代码的方式启动一个web项目,而不需要web.xml了,所以上面的方式就不能用了,那么只需要把web.xml里面的代码以代码的形式添加到jetty里面就可以了
如下
ConstraintSecurityHandler securityHandler = (ConstraintSecurityHandler) webapp.getSecurityHandler();
HashLoginService loginService = new HashLoginService("Realm", "/etc/realm.properties");
loginService.setHotReload(true);
BasicAuthenticator basicAuthenticator = new BasicAuthenticator();
securityHandler.setRealmName("Realm");
securityHandler.setAuthenticator(basicAuthenticator);
// 多了这一段,意思的web.xml里面的一样
ConstraintMapping constraintMapping = new ConstraintMapping();
Constraint constraint = new Constraint("api", "admin");
constraint.setAuthenticate(true);
constraintMapping.setConstraint(constraint);
constraintMapping.getConstraint().setName("api");
constraintMapping.getConstraint().setRoles(new String[]{"admin","admin"});
constraintMapping.setPathSpec("/*");
securityHandler.addConstraintMapping(constraintMapping);
securityHandler.setLoginService(loginService);
realm.properties 不变
第三种 只修改 java 代码
这种方式把配置文件的去掉了,直接在java代码里面设置用户名,角色信息,更简单粗暴,但是不推荐,仅供学习研究
代码如下
ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
HashLoginService loginService = new HashLoginService("Realm");
// 代码的形式添加用户名密码
final String role = "admin";
final String username = "dev";
final String password = "dev";
IdentityService identityService = loginService.getIdentityService();
UserIdentity admin = identityService.newUserIdentity(new Subject(), new MappedLoginService.KnownUser(username, Credential.getCredential(password)), new String[]{role});
loginService.getUsers().put(username, admin);
BasicAuthenticator basicAuthenticator = new BasicAuthenticator();
securityHandler.setRealmName("Realm");
securityHandler.setAuthenticator(basicAuthenticator);
ConstraintMapping constraintMapping = new ConstraintMapping();
Constraint constraint = new Constraint("api", role);
constraint.setAuthenticate(true);
constraintMapping.setConstraint(constraint);
constraintMapping.getConstraint().setName("api");
constraintMapping.getConstraint().setRoles(new String[]{role});
constraintMapping.setPathSpec("/*");
securityHandler.addConstraintMapping(constraintMapping);
securityHandler.setLoginService(loginService);
springMvcHandler.setSecurityHandler(securityHandler);
OK,大概就是这样,三种方式都在这里,有时间我会把代码上传到github上面,方便大家查看