3

我有一个简单的 EE5 应用程序,带有一个 Web 客户端和一个运行 glassfish 2 的 ejb 模块。ejb 中方法上的安全注释被忽略,但类级别的安全注释却没有。

例如我有以下bean:

 @Stateful(mappedName = "ejb/PurchaseOrderDao")
 @DeclareRoles("employees")
 @RolesAllowed(value = { "employees" })
 public class PurchaseOrderDao implements PurchaseOrderDaoLocal {

   @Resource
   private EJBContext ejbContext;

   @DenyAll
   public final void add(final PurchaseOrder instance) {
     log.debug("Is User in Role employees: {}", ejbContext.isCallerInRole("employees"));
     delegate.add(instance);
   }

   [...]
}

每个用户都可以调用此方法。调试语句返回正确的值。

web.xml 中定义的 web 客户端中的 Web 资源的安全约束按预期工作,但不是 mwthods 上的注释中定义的那些。

在我的 application.xml 中,我定义了领域和角色。我将它们映射到 sun-application.xml 中。

可能是什么原因?这是 glassfish v2 的已知问题吗?它在 glassfish v3 中正常工作。

其他资源:

sun-ejb-jar.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd">
<sun-ejb-jar>
    <enterprise-beans>
    </enterprise-beans>
</sun-ejb-jar>

ejb-jar.xml

<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:ejb="http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
version="3.0">
    <display-name>ejb</display-name>
</ejb-jar>

应用程序.xml

<?xml version="1.0" encoding="UTF-8"?>
<application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:application="http://java.sun.com/xml/ns/javaee/application_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_5.xsd"
    id="ocea" version="5">
    <display-name>ocea</display-name>
    <module>
        <ejb>ejb.jar</ejb>
    </module>
    <module>
        <web>
            <web-uri>web.war</web-uri>
            <context-root>ocea</context-root>
        </web>
    </module>

    <security-role>
        <description>Employees</description>
        <role-name>employees</role-name>
    </security-role>
    <security-role>
        <description>Suppliers</description>
        <role-name>suppliers</role-name>
    </security-role>
    <library-directory>/lib</library-directory>
</application>

太阳应用程序.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-application PUBLIC '-//Sun Microsystems, Inc.//DTD Application Server 9.0 Java EE Application 5.0//EN' 'http://www.sun.com/software/appserver/dtds/sun-application_5_0-0.dtd'>
<sun-application>
    <security-role-mapping>
        <role-name>employees</role-name>
        <group-name>employees</group-name>
    </security-role-mapping>

    <security-role-mapping>
        <role-name>suppliers</role-name>
        <group-name>suppliers</group-name>
    </security-role-mapping>

</sun-application>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
  <display-name>web</display-name>
  <!-- [...] -->
  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login</form-login-page>
      <form-error-page>/loginfailed</form-error-page>
    </form-login-config>
  </login-config>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>PublicContent</web-resource-name>
      <description>Publically available Content needs no authorization.</description>
      <url-pattern>/static/*</url-pattern>
      <url-pattern>/logout</url-pattern>
      <url-pattern>/loggedout</url-pattern>
      <url-pattern>/decorator</url-pattern>
    </web-resource-collection>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Add Requests</web-resource-name>
      <description>accessible by employees</description>
      <url-pattern>/requestadd</url-pattern>
      <url-pattern>/requestaddreal</url-pattern>
      <url-pattern>/orderadd</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>employees</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Add Bids</web-resource-name>
      <description>accessible by suppliers</description>
      <url-pattern>/bidadd</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>suppliers</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Webapplication</web-resource-name>
      <description>accessible by authorized users</description>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <description>For Employees and Suppliers</description>
      <role-name>employees</role-name>
      <role-name>suppliers</role-name>
    </auth-constraint>
  </security-constraint>
  <!-- [...] -->
  <ejb-local-ref>
    <ejb-ref-name>ejb/Dao</ejb-ref-name>
    <local>ejb.dao.DaoLocal</local>
  </ejb-local-ref>
  <!-- [... other ejb-local-ref ...] -->
</web-app>
4

1 回答 1

2

您是否看过此页面: 如何保护 GlassFish 2 上的 Web 服务?

您还应该在 sun-ejb-jar.xml 中为您的 EJB 添加项目以满足身份验证要求。你也做过?

于 2013-01-08T02:31:40.103 回答