安全角色映射不适用于文件描述符

发布于 2024-12-07 08:35:22 字数 1065 浏览 0 评论 0原文

将 glassfish 3.1.1 用于 Java EE6 项目时，glassfish-web.xml 中定义的安全角色映射对“用户 - 角色”映射没有影响。

调用 request.isUserInRole("USER") 以及 request.isUserInRole("ADMIN") 始终返回 false。

glassfish-web.xml

<glassfish-web-app>
    <security-role-mapping>
        <role-name>ADMIN</role-name>
        <group-name>ADMIN</group-name>
    </security-role-mapping>
    <security-role-mapping>
        <role-name>USER</role-name>
        <group-name>USER</group-name>
    </security-role-mapping>
</glassfish-web-app>

使用 @DeclareRoles 注释 LoginBean.java，如下所示，角色按预期分配。

LoginBean.java

...
@DeclareRoles({"ADMIN", "USERS"})
@Named(value = "loginBean")
@RequestScoped
public class LoginBean implements Serializable { ...

为什么我需要 LoginBean.java 中的 @DeclareRoles 才能为 request.isUserInRole 获取有效的“用户 - 角色”映射>？

原文

Using glassfish 3.1.1 for a Java EE6 project the security role mapping as defined in glassfish-web.xml has no influence on the 'user - role' mapping.

Calling request.isUserInRole("USER") as well as request.isUserInRole("ADMIN") always returns false.

glassfish-web.xml

<glassfish-web-app>
    <security-role-mapping>
        <role-name>ADMIN</role-name>
        <group-name>ADMIN</group-name>
    </security-role-mapping>
    <security-role-mapping>
        <role-name>USER</role-name>
        <group-name>USER</group-name>
    </security-role-mapping>
</glassfish-web-app>

Annotating LoginBean.java with @DeclareRoles as shown below, the roles are assigned as expected.

LoginBean.java

...
@DeclareRoles({"ADMIN", "USERS"})
@Named(value = "loginBean")
@RequestScoped
public class LoginBean implements Serializable { ...

Why do I need the @DeclareRoles in LoginBean.java in order to get a working 'user - role' mapping for request.isUserInRole?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

鹿港巷口少年归 2024-12-14 08:35:22

Coderanch 上的类似问题引用17.2.5.3 Bean 代码引用的安全角色声明
EJB 3.1 规范：

Bean Provider 负责使用 DeclareRoles
部署的注释或security-role-ref元素
描述符来声明中使用的所有安全角色名称
企业 Bean 代码。 DeclareRoles 注释是在
bean 类，用于声明可以通过以下方式测试的角色
从带注释的类的方法中调用 isCallerInRole。
声明安全角色允许 Bean 提供者，
应用程序组装者或部署者链接这些安全角色名称
在代码中使用为组装定义的安全角色
应用程序。
[...]
如果未使用DeclareRoles注释，Bean Provider必须
使用部署描述符的 security-role-ref 元素
声明代码中引用的安全角色。

（强调我的）

所以这只是对部署者的一个简单提示，他们不必解释代码来获取已使用角色的列表。如果开发人员使用来自其他方法或非常复杂的逻辑的角色名称调用 isUserInRole() 方法，这可能会非常困难。

这也可能很有用（来自17.3 Bean 提供者和/或应用程序组装者的职责）：

提供企业安全视图的主要原因
beans 是为了简化 Deployer 的工作。在没有安全保障的情况下
从应用程序的角度来看，部署者需要详细了解
应用程序以便安全地部署应用程序。例如，
部署者必须知道每个业务方法的作用
确定哪些用户可以调用它。安全视图定义为
Bean Provider 或 Application Assembler 提供了更整合的
view给Deployer，让Deployer不太熟悉
应用程序。

，但我认为背后的推理是相同的，并且 servlet 规范不是那么详细。）

来自部署者的职责：安全角色的分配 (17.4 .2)：

部署者分配主体和/或主体组（例如
个人用户或用户组）用于管理安全性
操作环境到通过以下方式定义的安全角色
DeclareRoles 和 RolesAllowed 元数据注释和/或
部署描述符的 security-role 元素。

因此，根据规范，glassfish-web.xml 是由部署者（不是 Bean 提供者或应用程序组装者）创建的，对于部署者的工作，他需要来自“DeclareRoles<”的角色名称。 /code> 和 RolesAllowed 元数据注释和/或部署描述符的 security-role 元素。”

A similar question on Coderanch cites 17.2.5.3 Declaration of Security Roles Referenced from the Bean’s Code
of the EJB 3.1 specification:

The Bean Provider is responsible for using the DeclareRoles
annotation or the security-role-ref elements of the deployment
descriptor to declare all the security role names used in the
enterprise bean code. The DeclareRoles annotation is specified on a
bean class, where it serves to declare roles that may be tested by
calling isCallerInRole from within the methods of the annotated class.
Declaring the security roles allows the Bean Provider,
Application Assembler, or Deployer to link these security role names
used in the code to the security roles defined for an assembled
application.
[...]
If the DeclareRoles annotation is not used, the Bean Provider must
use the security-role-ref elements of the deployment descriptor to
declare the security roles referenced in the code.

(Emphasis mine)

So it's just a simple hint to the Deployer and they don't have to interpret the code to get the list of the used roles. It could be really hard if a developer calls the isUserInRole() method with a role name which comes from an other method or from a very complex logic.

This also could be useful (from 17.3 Responsibilities of the Bean Provider and/or Application Assembler):

The main reason for providing the security view of the enterprise
beans is to simplify the Deployer’s job. In the absence of a security
view of an application, the Deployer needs detailed knowledge of the
application in order to deploy the application securely. For example,
the Deployer would have to know what each business method does to
determine which users can call it. The security view defined by the
Bean Provider or Application Assembler presents a more consolidated
view to the Deployer, allowing the Deployer to be less familiar with
the application.

(I see that the question is about a web application but I think the reasoning behind is the same and servlet spec isn't so detailed.)

From Deployer’s Responsibilities: Assignment of Security Roles (17.4.2):

The Deployer assigns principals and/or groups of principals (such as
individual users or user groups) used for managing security in the
operational environment to the security roles defined by means of the
DeclareRoles and RolesAllowed metadata annotations and/or
security-role elements of the deployment descriptor.

So, according to the spec the glassfish-web.xml is created by the Deployer (not the Bean Provider or Application Assembler) and for the Deployer's work he needs the role names from "DeclareRoles and RolesAllowed metadata annotations and/or security-role elements of the deployment descriptor."

回复收藏 0 原文