我仍然在使用BASIC auth-method. 当我的自定义登录模块工作时,我遇到了一些关于授权的问题。我使用带有注释的 RESTeasy RESTFul Web 服务进行测试,代码如下:
package it.bytebear.web.mongo;
import it.bytebear.web.mongo.jaas.MongoModuleCallbackHandler;
import it.bytebear.web.mongo.model.User;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Stateless;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Request;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import javax.ws.rs.core.SecurityContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Path("/service")
Stateless
ublic class UserServices {
private Logger log = LoggerFactory.getLogger(UserServices.class);
@GET
@Path("/userA")
@RolesAllowed({ "userA" })
public Response postUserA() {
return Response.ok("You're user A.", MediaType.TEXT_HTML).build();
}
@GET
@Path("/userB")
@RolesAllowed({ "userB" })
public Response postUserB() {
return Response.ok("You're user B.", MediaType.TEXT_HTML).build();
}
@GET
@Path("/userC")
@RolesAllowed({ "userC" })
public Response postUserC() {
return Response.ok("You're user C.", MediaType.TEXT_HTML).build();
}
@POST
@Path("/login")
@PermitAll
@Consumes(MediaType.APPLICATION_JSON)
// @Consumes("application/x-authc-username-password+json")
public Response login(User userCredentials) {
log.info("logging in.");
try {
MongoModuleCallbackHandler handler = new MongoModuleCallbackHandler();
handler.setUsername(userCredentials.getUserName());
handler.setPassword(userCredentials.getPassword().toCharArray());
LoginContext loginContext = new LoginContext("MongoLoginRealm", handler);
loginContext.login();
Subject subject = loginContext.getSubject();
List<String> roles = new ArrayList<String>();
for (Principal p : subject.getPrincipals()) {
roles.add(p.getName());
}
String[] userCredentialsRoles = new String[roles.size()];
roles.toArray(userCredentialsRoles);
userCredentials.setRoles(userCredentialsRoles);
return Response.ok().entity(userCredentials)
.type(MediaType.APPLICATION_JSON_TYPE).build();
} catch (Exception e) {
log.error("login fails.", e);
return Response.status(Status.FORBIDDEN).entity("Not logged")
.type(MediaType.APPLICATION_JSON_TYPE).build();
}
}
@GET
@Path("/logout")
@PermitAll
public Response logout(Request req) {
return Response.ok().build();
}
@POST
@Path("/test")
@PermitAll
public Response test(@Context SecurityContext ctx) {
Principal p = ctx.getUserPrincipal();
return Response.status(Status.OK).entity(p).build();
}
}
我的登录模块被正确调用并生成了一个包含一个Groupnamed的主题,但是当我尝试访问时,我总是得到一个错误。我使用方法检查但总是返回。我想念如何和工作,怎么知道一个主题?更重要的是:我想了解更多信息,将不胜感激链接到资源和文档。RolesPrincipaluserA.../service/userA403testsubjectctx.getUserPrincipal()nullLoginModuleSecurityContextSecurityContext
更新:在我web.xml使用 RESTEasy 安全性:
...
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
...
我是否用 RESTEasy 安全性搞乱了 EJB 安全性?