将自定义上下文信息添加到 EJB 方法调用
我想在从 Java Web 应用程序 (Wicket) 调用 EJB 无状态会话 bean 的方法时将身份验证信息传递给它们。该信息由用户 ID 和身份验证类型(记住 cookie 或用户/密码)组成,并存储在 http 会话中。一个明显的解决方案是将其作为参数添加到所有 EJB 方法中,但这很麻烦,我希望存在另一种解决方案。
EJB bean 的 JNDI 查找是通过 Web 层中的 javax.naming.InitialContext#lookup(String) 完成的。
是否有一种可移植的方法将身份验证信息添加到调用上下文中,以便 bean 可以使用它?我需要此流程可供 EJB 层(对于最终的 Web 服务端点)和 Web 层中的调用者使用。
更多信息
我正在使用 Java EE 6。未使用 CDI,我宁愿避免实现它。
身份验证由 Web 层处理,使用无状态 Bean 验证记住 Cookie 和用户/密码组合。当访问者第一次访问该站点时,会尝试使用记住 cookie 进行身份验证。最终需要时,系统会要求用户使用用户名和密码登录。如上所述,认证状态存储在http会话中。我不使用基于领域的 Java EE 安全模型,因为我无法弄清楚如何正确集成此身份验证流程。
授权方案基于动态角色,类似于 Facebook 如何根据 2 个用户之间的链接和某些偏好来确定授权。某些操作还会考虑身份验证类型。例如,修改帐户设置需要用户名/密码,而 cookie 是不够的。据我了解,Java EE 标准组和角色不太适合此要求。
我发现的其他相关问题
EJB3 & JAAS主体/主体如何从servlet容器传播到EJB层?
我希望我的问题很清楚。如果需要更多信息,我很乐意提供。
编辑
固定链接。添加有关 CDI 的注释。
I want to pass authentication information to EJB stateless session beans when calling their methods from a Java web application (Wicket). The information consists of a user id and an authentication type (remember cookie or user/password) and is stored in the http session. One obvious solution is to add this as a parameter to all EJB methods, but this is cumbersome and I hope another solution exists.
The JNDI lookup of EJB beans is done via javax.naming.InitialContext#lookup(String) in the web tier.
Is there a portable way to add the authentication information to a calling context so it becomes available to the beans? I need this process to be available for callers both in the EJB layer (for an eventual web service endpoint) and in the web tier.
Some more information
I am using Java EE 6. CDI is not used and I would rather avoid implementing it.
Authentication is handled by the web tier with stateless beans validating remember cookies and user/password combinations. When a visitor first accesses the site, authentication with the remember cookie is tried. When eventually required, the user is asked to login with a username and password. As mentioned above, the authentication status is stored in the http session. I don’t use the Java EE security model based on realms because I couldn’t figure out how this authentication flow could be properly integrated.
The authorization scheme is based on dynamic roles similar to how Facebook determines authorization based on the link between 2 users and some preferences. Some actions also take into account the authentication type. For instance, modifying account settings requires user/password and the cookie is not enough. From what I understood, the Java EE standard groups and roles are not a good fit for this requirement.
Other related questions I found
EJB3 & How JAAS subject/principal is propagated to EJB Tier from servlet container?
Controlling the security Principle passed on a EJB call
Binding a User entity and a GlassFish Principal
Accessing the clients principal inside an ejb method
dynamic roles on a Java EE server
I hope my question is clear enough. If more information is required, I will gladly provide it.
edit
Fixed links. Add note about CDI.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我认为你应该考虑:
为授权过程创建一个拦截器。无论调用是从哪一层进行的,它都会为您提供一个通用的授权位置。您可以检查调用者是否被允许调用该方法或者他的会话是否仍然处于活动状态(即在数据库中检查它)。
在拦截器中,您可以使用
InitationContext#getContextData().put("user-lated-data-name", someObj) 传递一些与用户相关的数据。在调用者 EJB 中,您可以使用SessionContext#getContextData()获取此数据。使用
SessionContext传递上下文数据的示例可以在 此处最后(也是最有趣的部分)是如何获取 EJB 层上的用户凭据。如果您说的是 WebServices 端点,那么我猜您需要提供某种边界类或指定一个方法,该方法将为每个调用获取一些 sessionId。
如果它是关于将 HttpSession 数据从 Servlet 传播到 EJB...这可能是一个不太可能的事情,但我会考虑使用 CDI。您的 Servlet 可能会使用保存用户凭据的
@SessionScopedbean,并且您可以在拦截器内注入相同的@SessionScopedbean。我不确定这是否可能(在拦截器中注入 CDI bean 或在 Servlet 和 EJB 层之间共享
@SessionScoped)。I think you should consider:
Creating an interceptor for the authorization process. It will give you a common place for authorization despite from which layer the call was made from. You might check if the caller is allowed to invoke the method or if his session is still active (i.e. check it in the DB).
In the interceptor you could pass some user-related data using
InvocationContext#getContextData().put("user-related-data-name", someObj). In the caller EJB you can get this data usingSessionContext#getContextData().An example of passing contextual data using
SessionContextcan be found hereThe last (and most interesting part) would be how to get the user credentials on the EJB layer. If you're saying about WebServices endpoint than I guess you need to provide some kind of boundary class or specify a methods which will take some sessionId for each call.
If it's about propagating
HttpSessiondata from the Servlet to the EJB... It might be a long shot but I would think of using the CDI. Your Servlet might use a@SessionScopedbean which holds the user credentials and you inject the same@SessionScopedbean inside the interceptor.I'm not sure if it's possible at all (injecting CDI beans in the interceptors or sharing
@SessionScopedbetween Servlets and EJB's layers).