Java back-end development: Using Java Authentication and Authorization Service for API multi-role permission management

With the development of the Internet, the application scenarios of various web applications and APIs are becoming more and more extensive, and API multi-role permission management has become an increasingly important topic. In Java back-end development, Java Authentication and Authorization Service (JAAS) is a reliable solution. It provides a role-based permission control mechanism that allows us to easily manage access permissions to API interfaces.

In Java development, the JAAS framework is the abbreviation of Java Authentication and Authorization Service. It is one of the Java SE standard APIs and is mainly used for authentication and authorization of applications. The core concepts of the JAAS framework are configuration and policy sources, which are used to identify and manage different user types and access policies in a program.

The JAAS framework provides two main abstractions: Subject and LoginModule. Subject represents a user or a user group in the program, and LoginModule is the specific implementation of authentication and authorization. The JAAS framework implements a role-based permission control mechanism through these two abstractions.

Let’s take a look at how to use the JAAS framework to implement API role permission management.

1. Configuring JAAS

First, JAAS needs to be configured. We can create a configuration file in the project, for example: jaas.conf. The content of the configuration file is as follows:

Sample {
    com.example.security.SimpleLoginModule required;
};

In the above configuration, Sample is a program name, and com.example.security.SimpleLoginModule implements LoginModule The class name of the interface.

2. Implement the LoginModule interface

Next, you need to implement a class that implements the LoginModule interface to authenticate and authorize users. The code example is as follows:

package com.example.security;

import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;

public class SimpleLoginModule implements LoginModule {

    private Subject subject;
    private CallbackHandler callbackHandler;
    private Map<String, ?> sharedState;
    private Map<String, ?> options;
    private String username;

    public void initialize(
        Subject subject,
        CallbackHandler callbackHandler,
        Map<String, ?> sharedState,
        Map<String, ?> options
    ) {
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.sharedState = sharedState;
        this.options = options;
    }

    public boolean login() throws LoginException {
        Callback[] callbacks = new Callback[2];
        callbacks[0] = new NameCallback("username: ");
        callbacks[1] = new PasswordCallback("password: ", false);

        try {
            callbackHandler.handle(callbacks);

            String username = ((NameCallback) callbacks[0]).getName();
            String password = String.valueOf(((PasswordCallback) callbacks[1]).getPassword());

            // 验证用户名和密码，通过返回true
            if ("admin".equals(username) && "123456".equals(password)) {
                this.username = username;
                return true;
            } else {
                throw new LoginException("Invalid username or password");
            }
        } catch (UnsupportedCallbackException | IOException e) {
            e.printStackTrace();
            throw new LoginException(e.getMessage());
        }
    }

    public boolean commit() throws LoginException {
        subject.getPrincipals().add(new SimplePrincipal(username));
        return true;
    }

    public boolean abort() throws LoginException {
        return true;
    }

    public boolean logout() throws LoginException {
        subject.getPrincipals().removeIf(principal -> principal.getName().equals(username));
        return true;
    }

}

Among them, we implement user authentication and authorization by implementing the methods in the LoginModule interface. In the login method, we use the CallbackHandler to obtain the username and password entered by the user and authenticate them; in the commit method, we add the user information to the Subject for subsequent role authorization.

3. Implementing role authorization

Next, role authorization needs to be performed for the specific API interface. We can use the annotations provided by Java EE for authorization, for example:

@RolesAllowed({"admin","user"})
@Path("/api/hello")
public class HelloResource {

    @GET
    public Response greet() {
        return Response.ok("Hello World!").build();
    }

}

In the above example, we use the @RolesAllowed annotation to specify the access role of the API. Only users with the admin and user roles can access the API. interface.

4. Configuring the application server

Finally, to add JAAS support on the application server, we can add the following configuration to server.xml:

<server>
  ...
  <featureManager>
    ...
    <feature>appSecurity-2.0</feature>
  </featureManager>
  ...
</server>

Add the following code in web.xml:

<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>sampleRealm</realm-name>
  <form-login-config>
    <form-login-page>/login.html</form-login-page>
    <form-error-page>/error.html</form-error-page>
  </form-login-config>
</login-config>

<security-constraint>
  <web-resource-collection>
    <web-resource-name>helloResource</web-resource-name>
    <url-pattern>/api/hello</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
    <role-name>user</role-name>
</auth-constraint>

In the above configuration, we specified the use of FORM authentication method and provided the corresponding page for the page. At the same time, you also need to specify Security Constraint to authorize the role of /hello API.

So far, we have completed the configuration of API multi-role permission management.

Summary

The JAAS framework is the abbreviation of Java Authentication and Authorization Service. It is one of the Java SE standard APIs and is mainly used for authentication and authorization of applications. In Java back-end development, using the JAAS framework for API multi-role permission management can easily implement role authorization. We implemented a role-based permission control mechanism through configuration and policy sources, used the LoginModule interface for identity authentication and authorization, and used annotations for API role authorization. By configuring the application server, we finally implemented API multi-role permission management.

The above is the detailed content of Java back-end development: Using Java Authentication and Authorization Service for API multi-role permission management. For more information, please follow other related articles on the PHP Chinese website!