小贝子编程

在glassfish v2中,Java EE 5的安全注解被忽略了



我有一个简单的EE5应用程序,带有web客户端和运行glassfish 2的ejb模块。方法ejb中的安全注释会被忽略,但类级别的注释不会。

例如我有如下bean:

 @Stateful(mappedName = "ejb/PurchaseOrderDao")
 @DeclareRoles("employees")
 @RolesAllowed(value = { "employees" })
 public class PurchaseOrderDao implements PurchaseOrderDaoLocal {
   @Resource
   private EJBContext ejbContext;
   @DenyAll
   public final void add(final PurchaseOrder instance) {
     log.debug("Is User in Role employees: {}", ejbContext.isCallerInRole("employees"));
     delegate.add(instance);
   }
   [...]
}

每个用户都可以调用这个方法。调试语句返回正确的值。

web.xml中定义的web客户端中web资源的安全约束按预期工作,但不是方法注释中定义的安全约束。

在application.xml中,我定义了领域和角色。我在sun-application.xml中映射它们。

原因是什么?这是glassfish v2的已知问题吗?

其他资源:

sun-ejb-jar.xml 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd">
<sun-ejb-jar>
    <enterprise-beans>
    </enterprise-beans>
</sun-ejb-jar>


<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:ejb="http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
version="3.0">
    <display-name>ejb</display-name>
</ejb-jar>

application.xml 

<?xml version="1.0" encoding="UTF-8"?>
<application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:application="http://java.sun.com/xml/ns/javaee/application_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_5.xsd"
    id="ocea" version="5">
    <display-name>ocea</display-name>
    <module>
        <ejb>ejb.jar</ejb>
    </module>
    <module>
        <web>
            <web-uri>web.war</web-uri>
            <context-root>ocea</context-root>
        </web>
    </module>
    <security-role>
        <description>Employees</description>
        <role-name>employees</role-name>
    </security-role>
    <security-role>
        <description>Suppliers</description>
        <role-name>suppliers</role-name>
    </security-role>
    <library-directory>/lib</library-directory>
</application>

sun-application.xml 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-application PUBLIC '-//Sun Microsystems, Inc.//DTD Application Server 9.0 Java EE Application 5.0//EN' 'http://www.sun.com/software/appserver/dtds/sun-application_5_0-0.dtd'>
<sun-application>
    <security-role-mapping>
        <role-name>employees</role-name>
        <group-name>employees</group-name>
    </security-role-mapping>
    <security-role-mapping>
        <role-name>suppliers</role-name>
        <group-name>suppliers</group-name>
    </security-role-mapping>
</sun-application>

web . xml 

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
  <display-name>web</display-name>
  <!-- [...] -->
  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login</form-login-page>
      <form-error-page>/loginfailed</form-error-page>
    </form-login-config>
  </login-config>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>PublicContent</web-resource-name>
      <description>Publically available Content needs no authorization.</description>
      <url-pattern>/static/*</url-pattern>
      <url-pattern>/logout</url-pattern>
      <url-pattern>/loggedout</url-pattern>
      <url-pattern>/decorator</url-pattern>
    </web-resource-collection>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Add Requests</web-resource-name>
      <description>accessible by employees</description>
      <url-pattern>/requestadd</url-pattern>
      <url-pattern>/requestaddreal</url-pattern>
      <url-pattern>/orderadd</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>employees</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Add Bids</web-resource-name>
      <description>accessible by suppliers</description>
      <url-pattern>/bidadd</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>suppliers</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Webapplication</web-resource-name>
      <description>accessible by authorized users</description>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <description>For Employees and Suppliers</description>
      <role-name>employees</role-name>
      <role-name>suppliers</role-name>
    </auth-constraint>
  </security-constraint>
  <!-- [...] -->
  <ejb-local-ref>
    <ejb-ref-name>ejb/Dao</ejb-ref-name>
    <local>ejb.dao.DaoLocal</local>
  </ejb-local-ref>
  <!-- [... other ejb-local-ref ...] -->
</web-app>

你看过这个页面吗?如何在GlassFish 2上保护web服务?

您还应该在sun-ejb-jar.xml中为您的ejb添加项目,以满足身份验证需求。你也做过?

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium