Search code examples
javajerseyjax-rstomcat8requestfiltering

Enable ContainerRequestFilter without web.xml


I'm trying to enable basic authentication using Filter. I likes to enable that without using web.xml file. I tried the answer in the question

Use ContainerRequestFilter in Jersey without web.xml

But I can't get clear idea over that. How to enable filter without web.xml file?

package com.example.filter;

import java.io.IOException;
import java.lang.reflect.Method;
import java.util.Base64;
import java.util.StringTokenizer;

import javax.annotation.security.PermitAll;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;

import com.example.ApiService;

public class AuthFilter implements ContainerRequestFilter {

    private HttpServletRequest request;
    @Context
    private ResourceInfo resourceInfo;
    private static final String AUTHORIZATION_PROPERTY = "Authorization";
    private static final String AUTHENTICATION_SCHEME = "Basic";
    private static final Response ACCESS_DENIED = Response.status(Response.Status.UNAUTHORIZED)
            .entity("You cannot access this resource").build();

    public boolean isAuthenticated(String authCredentials) {
        if (null == authCredentials)
            return false;

        final String encodedUserPassword = authCredentials.replaceFirst(AUTHENTICATION_SCHEME + " ", "");
        String usernameAndPassword = null;
        try {
            byte[] decodedBytes = Base64.getDecoder().decode(encodedUserPassword);
            usernameAndPassword = new String(decodedBytes, "UTF-8");
        } catch (IOException e) {
            e.printStackTrace();
        }
        final StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":");
        final String username = tokenizer.nextToken();
        if (request.getSession() != null) {
            String mobile_number = (String) request.getSession().getAttribute(ApiService.CONTACT_ID_KEY);
            if (mobile_number != username) {
                return true;
            }
        }
        return false;
    }

    @Override
    public void filter(ContainerRequestContext requestContext) throws IOException {
        Method method = resourceInfo.getResourceMethod();

        if (!method.isAnnotationPresent(PermitAll.class)) {


            // Fetch authorization header
            final String authorization = requestContext.getHeaderString(AUTHORIZATION_PROPERTY);

            // If no authorization information present; block access
            if (authorization == null || authorization.isEmpty()) {
                requestContext.abortWith(ACCESS_DENIED);
                return;
            }

            if(!isAuthenticated(authorization)) {
                requestContext.abortWith(ACCESS_DENIED);
                return;

            }
        }

    }

}

And this is my Application class

package com.example;

import java.util.HashMap;
import java.util.Map;

import javax.ws.rs.ApplicationPath;
import javax.ws.rs.core.Application;


@ApplicationPath("/rest")
public class ApiConfig extends Application {

    public Map<String, Object> getProperties() {
        Map<String, Object> properties = new HashMap<>();
        properties.put("jersey.config.server.provider.packages", "com.example");
        return properties;
    }
}

Thank you.


Solution

  • You need to annotate it with @Provider. The scanning picks up classes that are annotated with @Provider and @Path. You also need to add @Context for the HttpServletRequest if you want it injected (you only have it on the ResourceInfo).