小贝子编程

JASPIC Wildfly 9 validateRequest with session



基于这个Jaspic示例,我为ServerAuthModule:编写了以下validateRequest方法

public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject,
        Subject serviceSubject) throws AuthException {
    boolean authenticated = false;
    final HttpServletRequest request = 
                      (HttpServletRequest) messageInfo.getRequestMessage();
    final String token = request.getParameter("token");
    TokenPrincipal principal = (TokenPrincipal) request.getUserPrincipal();
    Callback[] callbacks = new Callback[] {
            new CallerPrincipalCallback(clientSubject, (TokenPrincipal) null) };
    if (principal != null) {
        callbacks = new Callback[] { 
                new CallerPrincipalCallback(clientSubject, principal) };
        authenticated = true;
    } else {
        if (token != null && token.length() == Constants.tokenLength) {
            try {
                principal = fetchUser(token);
            } catch (final Exception e) {
                throw (AuthException) new AuthException().initCause(e);
            }
            callbacks = new Callback[]
                        { 
                             new CallerPrincipalCallback(clientSubject, principal),
                             new GroupPrincipalCallback(clientSubject,
                                                        new String[] { "aRole" })
                        };
            messageInfo.getMap().put("javax.servlet.http.registerSession", "TRUE");
            authenticated = true;
        }
    }
    if (authenticated) {
        try {
            handler.handle(callbacks);
        } catch (final Exception e) {
            throw (AuthException) new AuthException().initCause(e);
        }
        return SUCCESS;
    }
    return AuthStatus.SEND_FAILURE;
}

这与预期的一样,对于带有@RolesAllowed("aRole")的ejb的第一次调用,但对于下一次调用,这根本不起作用。Wildfly用以下错误消息否认:

ERROR [org.jboss.as.ejb3.invocation] (default task-4) WFLYEJB0034: EJB Invocation 
    failed on component TestEJB for method public java.lang.String 
    com.jaspic.security.TestEJB.getPrincipalName():
    javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User

如果我猜对了,错误发生在:wilfly源代码的org.jboss.as.security.service.SimpleSecurityManager第367行,由于第405行,其中检查了credential,但似乎是null

这在Wildfly 8/9/10CR中似乎是一样的(其他版本未测试)。

同样,我不确定我是否做错了,或者这是否与https://issues.jboss.org/browse/WFLY-4626?这到底是一个bug,还是预期的行为?

这对我来说也是一个bug,因为调用方标识(调用方/组Principal s)似乎在对web的后续调用中保留,但对EJB容器没有保留。我自己的JASPIC类(在GlassFish 4.1上正常工作)在WildFly 9.0.2.Final和10.0.0.CR4上失败的原因与普通Servlet和SLSB一起使用时相同,即使后者标记为@PermitAll

由于我自己不熟悉WildFly的安全内部,我无法在这方面为您提供帮助。除非您能修补此问题,否则我目前能想到的唯一SAM级别解决方法是不要使用似乎触发问题的javax.servlet.http.registerSession回调属性,而是让CallbackHandler在每次validateRequest(...)调用时同时注册调用方Principal其组。如果适用于您的用例,您可能希望将该信息附加到HttpSession,以便稍微加快进程;否则从头开始重复。例如:

public class Sam implements ServerAuthModule {
    // ...
    @Override
    public AuthStatus validateRequest(MessageInfo mi, Subject client, Subject service) throws AuthException {
        boolean authenticated = false;
        boolean attachAuthnInfoToSession = false;
        final String callerSessionKey = "authn.caller";
        final String groupsSessionKey = "authn.groups";
        final HttpServletRequest req = (HttpServletRequest) mi.getRequestMessage();
        TokenPrincipal tp = null;
        String[] groups = null;
        String token = null;
        HttpSession hs = req.getSession(false);
        if (hs != null) {
            tp = (TokenPrincipal) hs.getAttribute(callerSessionKey);
            groups = (String[]) hs.getAttribute(groupsSessionKey);
        }
        Callback[] callbacks = null;
        if (tp != null) {
            callbacks = new Callback[] { new CallerPrincipalCallback(client, tp), new GroupPrincipalCallback(client, groups) };
            authenticated = true;
        }
        else if (isValid(token = req.getParameter("token"))) {
            tp = newTokenPrincipal(token);
            groups = fetchGroups(tp);
            callbacks = new Callback[] { new CallerPrincipalCallback(client, tp), new GroupPrincipalCallback(client, groups) };
            authenticated = true;
            attachAuthnInfoToSession = true;
        }
        if (authenticated) {
            try {
                handler.handle(callbacks);
                if (attachAuthnInfoToSession && ((hs = req.getSession(false)) != null)) {
                    hs.setAttribute(callerSessionKey, tp);
                    hs.setAttribute(groupsSessionKey, groups);
                }
            }
            catch (IOException | UnsupportedCallbackException e) {
                throw (AuthException) new AuthException().initCause(e);
            }
            return AuthStatus.SUCCESS;
        }
        return AuthStatus.SEND_FAILURE;
    }
    // ...
    @Override
    public void cleanSubject(MessageInfo mi, Subject subject) throws AuthException {
        // ...
        // just to be safe
        HttpSession hs = ((HttpServletRequest) mi.getRequestMessage()).getSession(false);
        if (hs != null) {
            hs.invalidate();
        }
    }
    private boolean isValid(String token) {
        // whatever
        return ((token != null) && (token.length() == 10));
    }
    private TokenPrincipal newTokenPrincipal(String token) {
        // whatever
        return new TokenPrincipal(token);
    }
    private String[] fetchGroups(TokenPrincipal tp) {
        // whatever
        return new String[] { "aRole" };
    }
}

我在上述WildFly版本上以上述方式测试了上述内容(即,使用单个Servlet引用标记为@DeclareRoles/方法级别@RolesAllowed的单个SLSB),它似乎按预期工作。显然,我不能保证这种方法不会以其他意想不到的方式失败。

另请参阅:

  • [WFLY-4625]
  • [证券-744]
  • [证券-745]

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium