我将 Picketlink ( 2.6.0.Final ) 与 JPA ( 使用 Postgresql ) 一起用于持久性。我还实现了一个具有以下基础的初始化程序:
@Singleton
@Startup
public class Initialiser {
@Inject
private PartitionManager partitionManager;
// Create users
@PostConstruct
public void createUsers()
{
try {
createUser("admin", new String[]{RoleConstants.BASIC});
} catch (Exception ex ) {} // Ignore error
try {
createUser("paul", new String[]{RoleConstants.BASIC, RoleConstants.IS_ADMIN});
} catch (Exception ex ) {} // Ignore error
}
private void createUser(String loginName, String[] roles)
{
User user = new User(loginName);
IdentityManager identityManager = this.partitionManager.createIdentityManager();
identityManager.add(user);
identityManager.updateCredential(user, new Password(loginName + "Test"));
for (String role: roles) {
Role xrole = new Role(role);
identityManager.add(xrole);
RelationshipManager relationshipManager = this.partitionManager.createRelationshipManager();
grantRole(relationshipManager, user, xrole);
}
}
}
将我的部署war到 Wildfly 后,我确实看到我的用户是在配置的 postgresql 数据库中创建的 - 在accounttypeentity表中。我可以使用普通的 JPA 方法(通过IdentityQuery查找)查询和查找这些用户帐户。
问题:
我正在使用 PL 来保护我的 Restful API(使用 JAX-RS 实现),他们这样做的方式是什么?使用自定义注释装饰每个端点,该注释旨在检查端点的调用者是否具有登录会话,以及附属用户帐户是否具有必要的角色(每个端点将所需的角色作为注释的一部分传递)。
现在,问题是,即使我有一个用户登录 - identity.isLoggedIn() == true,即使这个用户是我在初始化时创建的具有所需角色的用户之一,检查该用户是否具有任何所需角色的调用也会失败!基本代码是:
hasRole(relationshipManager, user, getRole(identityManager, role)
整个自定义注解定义是:
@ApplicationScoped
public class CustomAuthorizer {
Logger log = Logger.getLogger(CustomAuthorizer.class);
@Inject
Identity identity;
@Inject
IdentityManager identityManager;
@Inject
RelationshipManager relationshipManager;
/**
* This method is used to check if classes and methods annotated with {@link BasicRolesAllowed} can perform
* the operation or not
*
* @param identity The Identity bean, representing the currently authenticated user
* @param identityManager The IdentityManager provides methods for checking a user's roles
* @return true if the user can execute the method or class
* @throws Exception
*/
@Secures
@BasicRolesAllowed
public boolean hasBasicRolesCheck(InvocationContext invocationContext) throws Exception {
log.error("** Checking roles...");
BasicRolesAllowed basicRolesAllowed = getAnnotation(invocationContext,BasicRolesAllowed.class);
String[] requiredRoles = basicRolesAllowed.value();// get these from annotation
Identity identity = getIdentity();
if((requiredRoles.length > 0) && (!getIdentity().isLoggedIn()))
{
log.error("** User Not Logged In: can't pass role checking...");
return false;
}
boolean isAuthorized = true;
User user = (User) getIdentity().getAccount();
for (String role : requiredRoles) {
isAuthorized = isAuthorized && hasRole(relationshipManager, user, getRole(identityManager, role));
log.info(String.format("User:%s | Role: %s | Has?: %s", user, role, isAuthorized));
}
return isAuthorized;
}
private <T extends Annotation> T getAnnotation(InvocationContext invocationContext, Class<T> annotationType) {
Class unproxiedClass = getUnproxiedClass(invocationContext.getTarget().getClass());
T annotation = (T) unproxiedClass.getAnnotation(annotationType);
Method invocationContextMethod = invocationContext.getMethod();
if (annotation == null) {
annotation = invocationContextMethod.getAnnotation(annotationType);
}
if (annotation == null) {
throw new IllegalArgumentException("No annotation [" + annotationType + " found in type [" + unproxiedClass + "] or method [" + invocationContextMethod + ".");
}
return annotation;
}
private Identity getIdentity() {
return this.identity;
}
}
所以,我会作弊并提出 3 个问题(一个):
- 我如何真正确认 picketlink 保留了我分配给我创建的用户的角色?
- 这些分配的角色存储在数据库(或其他地方)的什么位置以便我确认?
- 如果我以错误的方式检查用户角色(请参阅我的代码),我应该如何纠正这个问题?