web.xml 中针对没有角色成员身份的经过身份验证的用户的安全约束
我非常绝望,因为我认为一定有一个简单的解决方案来解决我的问题,但我正在寻找 - 无济于事。
我在 Glassfish 3.1.1 中使用自定义领域。此自定义领域(实现 AppservPasswordLoginModuleInterface)从 HTTPS 请求中获取安全令牌,验证安全令牌,然后将用户返回到 Glassfish。
问题在于安全令牌不包含任何组,这意味着方法 public String[] getGroupsList() 或自定义领域返回一个空列表(正确的是,因为安全令牌中没有角色)。
也就是说,我希望有一个安全限制,只有经过验证的用户才能登录。我知道我可以在 web.xml 中使用以下约束:
<security-constraint>
<web-resource-collection>
<web-resource-name>mywebapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Users</role-name>
</auth-constraint>
</security-constraint>
但是因为我没有任何组,所以我无法将任何组映射到角色,因此我无法将身份验证约束与角色名称一起使用。
web.xml 中有没有一种方法可以定义只允许经过身份验证的用户,忽略他们所处的角色,并忽略他们是否处于任何角色。
有几个我无法实现的解决方案:
- 我无法更改底层 LDAP 以包含角色,因为 LDAP 架构以及 LDAP 用户映射到安全令牌的方式超出了我们的范围。
- 我必须使用当前的自定义领域处理程序,我无法将其替换为我自己的处理程序,它只返回默认组。我确实尝试过一次,并且成功了。但我无法用我自己的自定义领域替换现有的自定义领域,因为自定义领域应该是通用的。
但我真的认为 web.xml 中应该有一种方法只是说:忽略所有组和角色,我只想要一个经过身份验证的用户?
任何帮助将不胜感激。
I am quite desperate, because I think there must be an easy solution to my problem but I am searching - to no avail.
I am using a custom Realm in Glassfish 3.1.1. This custom realm (implements AppservPasswordLoginModuleInterface) takes a security token from the HTTPS request, validates the security token and then returns the user to Glassfish.
The problem is that the security token does not contain any groups, meaning that the method public String[] getGroupsList() or the custom realm returns an empty list (correctly, because there are no roles in the security token).
That said, I would like to have a security contraint that only validated users can login. I know that I can use the following constraint in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>mywebapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Users</role-name>
</auth-constraint>
</security-constraint>
But because I don't have any groups, I cannot map any groups to roles, and therefore I cannot use the auth-constraint with role-name.
Is there a way in web.xml to define that only authenticated users are allowed, ignoring in which role they are and ignoring whether they are in any role at all.
There are a couple of solutions which I cannot implement:
- I cannot change the underlying LDAP to include roles, because the LDAP schema and the way how LDAP users are mapped to security tokens our out of scope.
- I have to use the current custom realm handler, I cannot replace it with one of my own which just returns a default group. I did try this once, and it worked. But I cannot replace the existing custom realm with my own because the custom realm should be generic.
But I really think there should be a way in web.xml just to say: Ignore all groups and roles, I just want an authenticated user?
Any help would be appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
很老了,但对于那些寻找答案的人来说,您可以使用
*角色名称:这个人设法解决了这个问题。
Pretty old, but for those looking for an answer, you can use an
*role name:This guy managed to solve it.
使用两个星号:
请参阅 Servlet 4.0 规范的第 13.8 节: https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf
单个星号表示用户必须至少具有任何声明的角色之一,双星号意味着用户必须经过身份验证。因此,对于单个星号,用户必须具有在 web.xml 的 security-role 部分中声明的角色之一,并且似乎某些应用程序服务器(如 JBoss/Wildfly)还允许您放置一个本节中的单个星号使此工作与双星号类似。安全角色部分中的这个星号似乎是非标准的,并且可能不可移植:
Use two asterisks:
See section 13.8 of the Servlet 4.0 spec: https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf
The single asterisk means a user must have at least one of any declared role vs double asterisks means a user simply must be authenticated. So with single asterisk a user must have one of the roles declared in the
security-rolesection of the web.xml, and it appears some application servers (like JBoss/Wildfly) allow you to also put a single asterisk in this section to make this work similarly to the double asterisks. This single asterisk in the security-role section appears to be non-standard and likely non-portable: