I am just learning Java EE and have encountered on a problem connected with security. Java EE has realms,users,roles and that is all. If current user has the required role to be authorized - he is, anotherwise he fails. My problem is - how to make java ee security to obey such a security constraint - personal user's data is visible only for him. Theoretically, I could make for every user his "role" and programmatically check if user has role of the user owning that data. It seems for me to be very inconvenient solution (many, many roles). Is Java EE Security capable to deal with such a security constraint as in title?
问问题
92 次
1 回答
0
不会。Java EE 的标准安全模型并没有直接解决这种每用户的安全问题。
相反,您将需要手动操作。每当您处理对敏感数据的请求时,您都需要编写代码来检查用户的身份并允许或拒绝该请求。如果您有工作的 JAAS 上下文,您可以通过EJBContext::getCallerPrincipal、HttpServletRequest::getUserPrincipal或使用JAAS找到用户的身份。
是的,这非常尴尬和痛苦。不,Java EE 中确实没有任何东西可以让这更容易。很可能有第三方库可以提供帮助,但恐怕我不知道。
于 2013-07-28T21:29:34.643 回答