REST 服务中的 Glassfish 基本身份验证
我正在尝试使用 Glassfish jdbcRealm 在 Web 项目中进行基本身份验证。
这是我的 web.xml 身份验证部分:
<security-constraint>
<display-name>LoginTestContraint</display-name>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<description/>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>UsersRead</role-name>
<role-name>UsersWrite</role-name>
<role-name>UsersDelete</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>UsersConstraints</display-name>
<web-resource-collection>
<web-resource-name>FindAll</web-resource-name>
<description/>
<url-pattern>/resources/com.taxi.model.users/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>UsersRead</role-name>
<role-name>UsersWrite</role-name>
<role-name>UsersDelete</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>AccessConstraints</display-name>
<web-resource-collection>
<web-resource-name>/resources/com.taxi.model.access</web-resource-name>
<description/>
<url-pattern>/resources/com.taxi.model.access/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>AccessRead</role-name>
<role-name>AccessWrite</role-name>
<role-name>AccessDelete</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>taxiJDBCRealm</realm-name>
</login-config>
<security-role>
<description/>
<role-name>AccessRead</role-name>
</security-role>
<security-role>
<description/>
<role-name>AccessWrite</role-name>
</security-role>
<security-role>
<description/>
<role-name>AccessDelete</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersRead</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersWrite</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersDelete</role-name>
</security-role>
这就是我在 glassfish-web.xml 中的内容:
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>AccessDelete</role-name>
<group-name>AccessDelete</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>AccessRead</role-name>
<group-name>AccessRead</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>AccessWrite</role-name>
<group-name>AccessWrite</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersDelete</role-name>
<group-name>UsersDelete</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersRead</role-name>
<group-name>UsersRead</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersWrite</role-name>
<group-name>UsersWrite</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
我想对 REST 服务用户进行身份验证,所以我执行以下操作:
@Stateless
@Path("com.taxi.model.users")
public class UsersFacadeREST extends AbstractFacade<Users> {
// ...
@GET
@Override
@Produces({"application/xml", "application/json"})
@RolesAllowed("UsersRead")
public List<Users> findAll() {
return super.findAll();
}
// ...
}
@Stateless
@Path("com.taxi.model.access")
public class AccessFacadeREST extends AbstractFacade<Access> {
// ...
@GET
@Override
@Produces({"application/xml", "application/json"})
@RolesAllowed("AccessRead")
public List<Access> findAll() {
return super.findAll();
}
// ...
}
当我尝试打开 http://localhost:8080/taxi/resources/com.taxi.model.access 它返回带有访问权限的 XML 。
所以,然后我尝试打开 http://localhost:8080/taxi/resources/ com.taxi.model.users 在浏览器中一切正常,但访问被拒绝。在 postgresql 日志文件中,我看到:
2011-08-15 13:32:14 SAMST LOG: execute <unnamed>: SELECT glpasswd FROM vw_glusertable WHERE gluser = $1
2011-08-15 13:32:14 SAMST DETAIL: parameters: $1 = 'nickla'
2011-08-15 13:32:14 SAMST LOG: execute <unnamed>: SELECT glgroup FROM vw_glgrouptable WHERE gluser = $1
2011-08-15 13:32:14 SAMST DETAIL: parameters: $1 = 'nickla'
Glassfish 错误日志:
FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = taxi/taxi
FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /resources/com.taxi.model.users GET)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : null
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
FINE: Logging in user [nickla] into realm: taxiJDBCRealm using JAAS module: jdbcRealm
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
FINEST: JDBC login succeeded for: nickla groups:[UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete]
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : nickla
FINE: Set security context as user: nickla
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : nickla, UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
为什么 Glassfish 告诉我角色为 UsersRead 的用户没有 com.taxi.model.users 的授权?
PS:
答案很简单 - 不要使用 UsersRead UsersWrite UsersDelete 单词作为角色名称。我不知道为什么,但是当我将其更改为 UsersRead11 时,一切正常。
I am trying to make basic authentication in Web Project using Glassfish jdbcRealm.
This is my web.xml authentication part:
<security-constraint>
<display-name>LoginTestContraint</display-name>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<description/>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>UsersRead</role-name>
<role-name>UsersWrite</role-name>
<role-name>UsersDelete</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>UsersConstraints</display-name>
<web-resource-collection>
<web-resource-name>FindAll</web-resource-name>
<description/>
<url-pattern>/resources/com.taxi.model.users/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>UsersRead</role-name>
<role-name>UsersWrite</role-name>
<role-name>UsersDelete</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>AccessConstraints</display-name>
<web-resource-collection>
<web-resource-name>/resources/com.taxi.model.access</web-resource-name>
<description/>
<url-pattern>/resources/com.taxi.model.access/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>AccessRead</role-name>
<role-name>AccessWrite</role-name>
<role-name>AccessDelete</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>taxiJDBCRealm</realm-name>
</login-config>
<security-role>
<description/>
<role-name>AccessRead</role-name>
</security-role>
<security-role>
<description/>
<role-name>AccessWrite</role-name>
</security-role>
<security-role>
<description/>
<role-name>AccessDelete</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersRead</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersWrite</role-name>
</security-role>
<security-role>
<description/>
<role-name>UsersDelete</role-name>
</security-role>
And this is what i have in glassfish-web.xml:
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>AccessDelete</role-name>
<group-name>AccessDelete</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>AccessRead</role-name>
<group-name>AccessRead</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>AccessWrite</role-name>
<group-name>AccessWrite</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersDelete</role-name>
<group-name>UsersDelete</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersRead</role-name>
<group-name>UsersRead</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UsersWrite</role-name>
<group-name>UsersWrite</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
I want to authenticate REST service users, so I do following:
@Stateless
@Path("com.taxi.model.users")
public class UsersFacadeREST extends AbstractFacade<Users> {
// ...
@GET
@Override
@Produces({"application/xml", "application/json"})
@RolesAllowed("UsersRead")
public List<Users> findAll() {
return super.findAll();
}
// ...
}
@Stateless
@Path("com.taxi.model.access")
public class AccessFacadeREST extends AbstractFacade<Access> {
// ...
@GET
@Override
@Produces({"application/xml", "application/json"})
@RolesAllowed("AccessRead")
public List<Access> findAll() {
return super.findAll();
}
// ...
}
When I try to open http://localhost:8080/taxi/resources/com.taxi.model.access it returns me XML with accesses.
So, then I try to open http://localhost:8080/taxi/resources/com.taxi.model.users in browser it is all works, but access is denied. In postgresql log file I see:
2011-08-15 13:32:14 SAMST LOG: execute <unnamed>: SELECT glpasswd FROM vw_glusertable WHERE gluser = $1
2011-08-15 13:32:14 SAMST DETAIL: parameters: $1 = 'nickla'
2011-08-15 13:32:14 SAMST LOG: execute <unnamed>: SELECT glgroup FROM vw_glgrouptable WHERE gluser = $1
2011-08-15 13:32:14 SAMST DETAIL: parameters: $1 = 'nickla'
Glassfish error log:
FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = taxi/taxi
FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /resources/com.taxi.model.users GET)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : null
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
FINE: Logging in user [nickla] into realm: taxiJDBCRealm using JAAS module: jdbcRealm
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
FINEST: JDBC login succeeded for: nickla groups:[UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete]
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : nickla
FINE: Set security context as user: nickla
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : nickla, UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
Why is Glassfish told me that my user with role UsersRead has no grants for com.taxi.model.users?
P.S.:
Answer is simple - do not use UsersRead UsersWrite UsersDelete words as role names. I do not know why, but when I changed it to UsersRead11 all things go right.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论