I am developing a RESTlet API (JAVA), and I've created a custom authorization filter that I run all requests through before passing it to my router. In my requests I always pass the session ID as a request attribute, e.g.
http://localhost:8080/myAPI/{sid}/someResource/
Now, in my functions that extends ServerResource, I can do something like this to easily extract that {sid}:
String sid = (getRequestAttributes().containsKey("sid")) ? getRequestAttributes().get("sid").toString() : "";
My problem is, in my authorization function, which extends Filter (the authorization function is not called via a router, but is called in my main createInboundRoot() function), I cannot use the same method to extract the {sid}. I've created a workaround using string manipulation of request.getResourceRef().getSegments(), but there must be a better way?
Any help will be appreciated!
Thanks
You can create a common parent class for any child of ServerResource. like this:
public class CommonParentResource extends ServerResource
{
// class definition
}
And then override the doInit() method of the ServerResource class in it.
public class CommonParentResource extends ServerResource
{
public void doInit()
{
boolean authorized=false;
String sid = getRequestAttributes().containsKey("sid") ? (String)getRequestAttributes().get("sid") : StringUtils.EMPTY;
// Authorization logic here.
if(!authorized)//after authorization process completed.
{
getResponse().setStatus(Status.CLIENT_ERROR_UNAUTHORIZED);
getResponse().setEntity(/*Representation carrrying message for unauthorized user*/);
}
}
}
Now any new child class of ServerResource that you want to perform this authorization check, must extend this CommonParentResource class. Like this:
public class FriendsListResource extends CommonParentResource
{
#Get
//......
}
Two points are important here:
doInit() of any child class of ServerResource is called before calling any method annotated with #Get / #Post / ...
(Caution) If you do not use this statement:
getResponse().setStatus(Status.CLIENT_ERROR_UNAUTHORIZED);
i.e. if you do not set status of response to an error, then methods annotated with #Get / #Post / #Put / ... will get called ! But if your program sets the status of the response to an error-status, then the #Get / #Post / #Put / ... will not get executed, and the end user will see the error message represented by:
getResponse().setEntity(/*Representation carrrying message for unauthorized user*/);
Related
I have a Rest Client in a Quarkus (1.8.1) service defined like this:
#RegisterRestClient
#Path("/")
#Produces("application/json")
#Consumes("application/json")
public interface MyClient {
#POST
#Path("/{entity}")
Response postEntity(#HeaderParam(value = "Authorization") String auth,
#PathParam("entity") String entity, Object payload) throws MyException;
}
And I have implemented ResponseExceptionMapper in the same package like this:
public class MyExceptionMapper implements ResponseExceptionMapper<MyException> {
#Override
public MyException toThrowable(Response r) {
return new DynamicsException(r.getStatus() + " - " + r.readEntity(String.class));
}
}
When I call the service it is currently returning a 404 error, and I expected the code in the MyExceptionMapper class to be called. However it doesn't and instead a javax.ws.rs.WebApplicationException is thrown. The stack trace includes a call to the DefaultResponseExceptionMapper. It's seems that my mapper has not been registered.
How can I register my handler for invalid responses from calls to the service?
You need to register MyExceptionMapper as provider to the rest client with #RegisterProvider(MyExceptionMapper.class).
#RegisterRestClient
#RegisterProvider(MyExceptionMapper.class)
#Path("/")
#Produces("application/json")
#Consumes("application/json")
public interface MyClient {
Each implementation provides a default ResponseExceptionMapper implementation that will map and invoke a response to javax.ws.rs.WebApplicationException when the response status code is >= 400. It has a priority of Integer.MAX_VALUE, and is meant to be
used as a fallback whenever an error is encountered. This mapper will be registered bydefault to all client interfaces, but this can be disabled by setting an MP Config property,
microprofile.rest.client.disable.default.mapper, to true.
RestClientBuilder.newBuilder().property("microprofile.rest.client.disable.default.mapper",true)
I am trying to implement a simple client in rest easy, but I am getting an error saying "You must use at least one, but no more than one http method annotation". In my server implementation, I have added a http annotation on my method.
#Path("/")
public class TestResource
{
#GET
#Path("/domain/{value}")
public String get(#PathParam("value") final String value) {
return "Hello" + value;
}
}
I debugged it through, the first time it is not hitting the runtime exception, However, it is making a second call to it and failing, not sure why and how.
My client as junit test:
#Test
public void testPerformRestEasy() {
ResteasyClient client = new ResteasyClientBuilder().build();
ResteasyWebTarget target = client.target("http://localhost:8080/");
TestResource proxy = target.proxy(TestResource.class);
String response = proxy.get("user");
Assert.assertEquals("Hellouser", response);
}
The code where it is failing
private static <T> ClientInvoker createClientInvoker(Class<T> clazz, Method method, ResteasyWebTarget base, ProxyConfig config)
{
Set<String> httpMethods = IsHttpMethod.getHttpMethods(method);
if (httpMethods == null || httpMethods.size() != 1)
{
throw new RuntimeException("You must use at least one, but no more than one http method annotation on: " + method.toString());
}
ClientInvoker invoker = new ClientInvoker(base, clazz, method, config);
invoker.setHttpMethod(httpMethods.iterator().next());
return invoker;
}
Error:
java.lang.RuntimeException: You must use at least one, but no more than one http method annotation on: public final void java.lang.Object.wait(long,int) throws java.lang.InterruptedException
at org.jboss.resteasy.client.jaxrs.ProxyBuilder.createClientInvoker(ProxyBuilder.java:76)
at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuilder.java:52)
at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuilder.java:120)
at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(ClientWebTarget.java:72)
Does anyone know what the issue is here?
The Resteasy JAXRS 2 client does not seem to accept implementation classes directly. To make it work, you have to create a properly annotated interface. It is used by Resteasy to generate a client proxy and your server must implement exactly the same interface.
So in your case, you have to split your code into an interface and a separate implementation class:
#Path("/")
public interface TestResource {
#GET
#Path("/domain/{value}")
String get(#PathParam("value") final String value);
}
public class TestResourceImpl implements TestResource {
#Override String get(final String value) {
return "Hello" + value;
}
}
I'm not sure if this is Resteasy-specific or required by the specification, but solved the same issue for me. You can find the section that gave me the hint here in the documentation.
You have to define the MIME media type resource representation of resource(#Produces/#Consumes) from client. Like -
#Path("/")
public class TestResource
{
#GET
#Produces("text/plain")
#Path("/domain/{value}")
public String get(#PathParam("value") final String value) {
return "Hello" + value;
}
}
The Jboss Client framework Doc will help you more.
In my case the developer of the Rest Client Interface had wrongly extended RestEasyClientProxy. It wasn't the methods in the Rest Interface that were missing the http annotations, but the inherited methods.
Removing extends RestEasyClientProxy from the Rest Client Interface code fixed the issue.
How can I send GET request for entity with custom MediaType?
For example I want to retrieve MyUserDTO and set MediaType to application/user+yml.
For now I have two separated actions. I can retrieve entity:
resource.get(MyUserDTO.class);
and can retrieve string:
resource.get(new MediaType("application", "user+yml");
But how to combine them? Or maybe there is some trick to configure Restlet to teach him how to work with custom MediaTypes.
In fact, you have the right approach but you don't use the right constructor of the class MediaType (new MediaType(name, description)).
To make your code work, you need to change it to this:
resource.get(new MediaType("application/user+yml"));
On the server side, you will get this:
#Get
public Representation getSomething() {
System.out.println(">> media types = " +
getRequest().getClientInfo().getAcceptedMediaTypes());
// Display this: media types = [application/user+yml:1.0]
(...)
}
You can leverage the extension support of Restlet by adding a value within the annotation Get. In your case, you need to add a custom extension as described below:
public class MyApplication extends Application {
public MyApplication() {
getMetadataService().addExtension(
"myextension", new MediaType("application/user+yml"));
(...)
}
#Override
public Restlet createInboundRoot() {
(...)
}
}
Now you can use the extension within your server resource:
#Get("myextension")
public Representation getSomething() {
(...)
}
This method will be used with the expected media type is application/user+yml.
Hope it helps you,
Thierry
I am developing a REST API using RESTEasy with Guice and at the moment I am trying to incorporate basic authentication by use of an annotation similar to the #Auth found in Dropwizard. With
#Path("hello")
public class HelloResource {
#GET
#Produces("application/json")
public String hello(#Auth final Principal principal) {
return principal.getUsername();
}
}
the hello resource invocation should be intercepted by some code performing basic authentication using the credentials passed in the Authorization HTTP request header and on success injecting the principal into the method principal parameter. I would also like to be able to pass a list of allowed roles to the annotation, e.g. #Auth("admin").
I really need some advice in what direction to go to achieve this?
I think your best bet would be using an intermediate value within request scope. Assuming that you didn't put HelloResource in singleton scope, you can inject this intermediate value in some ContainerRequestFilter implementation and in your resource, and you can fill it inside this ContainerRequestFilter implementation with all authentication and authorization info you need.
It will look something like this:
// Authentication filter contains code which performs authentication
// and possibly authorization based on the request
#Provider
public class AuthFilter implements ContainerRequestFilter {
private final AuthInfo authInfo;
#Inject
AuthFilter(AuthInfo authInfo) {
this.authInfo = authInfo;
}
#Override
public void filter(ContainerRequestContext requestContext) throws IOException {
// You can check request contents here and even abort the request completely
// Fill authInfo with the data you need
Principal principal = ...; // Ask some other service possibly
authInfo.setPrincipal(principal);
}
}
#Path("hello")
public class HelloResource {
private final AuthInfo authInfo;
#Inject
HelloResource(AuthInfo authInfo) {
this.authInfo = authInfo;
}
#GET
#Produces("application/json")
public String hello() {
// authInfo here will be pre-filled with the principal, assuming
// you didn't abort the request in the filter
return authInfo.getPrincipal().getUsername();
}
}
public class MainModule extends AbstractModule {
#Override
protected void configure() {
bind(AuthFilter.class);
bind(HelloResource.class);
bind(AuthInfo.class).in(RequestScoped.class);
}
}
And even if you did put the resource (or even the filter) in singleton scope for some reason, you can always inject Provider<AuthInfo> instead of AuthInfo.
Update
It seems that I was somewhat wrong in that the filter is by default not in singleton scope. In fact it seem to behave like singleton even though it is not bound as such. It is created upon JAX-RS container startup. Hence you will need to inject Provider<AuthInfo> into the filter. In fact, the container startup will fail if AuthInfo is injected into the filter directly while being bound to request scope. Resource (if not explicitly bound as singleton) will be OK with direct injection though.
I have uploaded working program to github.
Consider the following ServerResource derived type:
public class UserResource extends ServerResource {
#Get
public User getUser(int id) {
return new User(id, "Mark", "Kharitonov");
}
}
(Yes, it always returns the same user no matter the given id).
Is it possible to make it work in Restlet? Because, as far as I understand, the expected signature of the GET handler is:
Representation get();
OR
Representation get(Variant v); // (no idea what it means yet)
Now I understand, that I can implement the non type safe GET handler to extract the arguments from the request and then invoke getUser, after which to compose the respective Representation instance from the result and return. But this is a boilerplate code, it does not belong with the application code, its place is inside the framework. At least, this is how it is done by OpenRasta - the REST framework I have been using in .NET
Thanks.
You should remove the parameter from the signature
#Get
public User getUser() {
String id = getQuery().getFirstValue("id");
return new User(id, "Mark", "Kharitonov");
}
No need to override the get() methods in this case as the #Get annotation will be automatically detected.