5

我正在构建一个单独的管理中心工具,该工具需要管理员角色才能访问。如何在 .auth-constraint 中指定它web.xml

我在下面尝试过,它不起作用

<security-constraint>
    <web-resource-collection>
        <web-resource-name>commonlogin-secure-resources</web-resource-name>
        <url-pattern>/rest/readyToLand</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>test</role-name>
        <role-name>Administrator</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

server.xml

<basicRegistry>
    <user name="admin" password="adminPassword"/>
</basicRegistry>    
<administrator-role>
    <user>admin</user>
</administrator-role>

登录后,如果我尝试访问此 url,则表示我无权访问它。我需要在某处绑定吗??

添加IBM-Authorization-Roles: com.ibm.ws.management到 MANIFEST.MF 后,我可以使用管理员角色访问它,但不能使用test角色访问它。配置有什么问题。如何在 osgi bundle 中进行角色映射?

4

2 回答 2

1

web.xml添加了额外的角色以allAuthenticatedUsers允许他们与管理员用户一起使用。在 ibm 文档中没有找到太多关于 OSGI 包安全性的信息。但它奏效了。

   <security-constraint>
        <web-resource-collection>
            <url-pattern>/rest/readyToLand</url-pattern>
            <url-pattern>/LoginSuccess.jsp</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Administrator</role-name>
            <role-name>allAuthenticatedUsers</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role id="SecurityRole_1">
        <description>Administrator role</description>
        <role-name>Administrator</role-name>
    </security-role>
    <security-role id="SecurityRole_2">
        <description>Any Role</description>
        <role-name>allAuthenticatedUsers</role-name>
    </security-role>

我想我不需要<role-name>Administrator</role-name>。但request.isUserInRole('Administrator')无论如何都是真实的。

更新 了任何情况下我都无法识别具有上述配置的应用程序中的管理员和测试用户。IBM-Authorization-Roles: com.ibm.ws.management只有管​​理员可以识别 -将request.isUserInRole('Administrator')工作。但request.isUserInRole('test')即使用户使用该测试角色登录并能够访问该 URL,也不能。

这很奇怪 - 它允许访问,但是当我检查角色是什么时,它不起作用。IBM - Liberty 代码 (17.0.0.4) 中似乎存在问题。但不确定。

于 2018-01-24T07:42:36.257 回答
1

我已经使用弹簧安全实现了相同的功能。假设您有应用程序并且您有不同角色的不同用户,那么您可以通过 Spring Security 来实现。使用 spring security 是保护您的应用程序的最佳方式。

1.在Web.xml中添加条目

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

2. 然后添加你想限制给用户的 URL,比如 /framework/something/do by admin /framework/something/doAction by user 在 Spring-security.xml 中添加条目

<security:http use-expressions="true" auto-config="false"
    entry-point-ref="http403EntryPoint" pattern="/framework/something/doAction"
    create-session="stateless">
    <security:csrf disabled="true" />
    <security:custom-filter position="PRE_AUTH_FILTER"
        ref="authorizationGlobalFilterBean" />
</security:http>

3.AuthorizationGlobalFilterBean 将按角色过滤用户。你可以把你的验证放在这里。

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

    logger.debug("Authorization  Filter Called#########################################################");
    // logger.debug("sessionServiceImpl..."+sessionServiceImpl);
    // logger.debug("iUserDao..."+iUserDao);

    HttpServletRequest httpReq = (HttpServletRequest) request;
    // logger.debug("http Request URL.."+httpReq.getRequestURL());

    HttpServletRequest r = (HttpServletRequest) request;
    String sessionObjId = getSessionIdFromHeader(r);

    // check session
    boolean isSessionExpired = checkSessionExpired(sessionObjId);

    if (isSessionExpired) {
        HttpServletResponse resp = (HttpServletResponse) response;
        resp.addHeader("sessionId", "");
        resp.addHeader("status", "false");
        resp.addHeader("message", "Session Expired");
        resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Session Expired");
        return;
    }

    // CustomUserDetailsService cs = new CustomUserDetailsService();
    UserDetails user = loadUserByUsername(sessionObjId);

    if (user == null) {
        HttpServletResponse resp = (HttpServletResponse) response;
        resp.addHeader("sessionId", "");
        resp.addHeader("status", "false");
        resp.addHeader("message", "User Not Found");
        resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User Not Found");
        return;
    }
    // logger.debug("user..."+user);
    logger.debug("user name.." + user.getUsername());
    logger.debug("user name.." + user.getUsername());

    List<String> ltUserPrivileges = userServiceImpl.findUserPrivilege(user.getUsername());
    logger.debug("ltUserPrivileges..." + ltUserPrivileges);

    String requestURI = httpReq.getRequestURI();
    // String requestURL = httpReq.getRequestURL().toString();
    String contextPath = httpReq.getContextPath();
    String queryString = httpReq.getQueryString();
    // String port = httpReq.getServerPort()+"";
    // logger.debug("request URL..."+httpReq.getRequestURL());
    // logger.debug("requestURI..."+requestURI);
    // logger.debug("contextPath..."+contextPath);
    // logger.debug("queryString..."+queryString);
    int i = 0;
    if ((i = requestURI.indexOf(contextPath)) >= 0) {
        // logger.debug("removing context from path.."+i);
        requestURI = requestURI.substring(i + contextPath.length());
        // logger.debug("new requestURI.."+requestURI);
    }
    if (queryString != null && queryString.trim().length() > 0) {
        requestURI = requestURI + "?" + queryString;
    }
    logger.debug("Final requestURI.." + requestURI);

    /*
     * if( (i=requestURL.indexOf(port))>=0){
     * logger.debug("removing port from path.."+i);
     * requestURL = requestURL.substring(i+port.length());
     * logger.debug("new requestURL.."+requestURL);
     * }
     */

    List<String> ltPrev = getMatchingUrlPrivileges(requestURI,request);
    boolean allowed = false;
    if (ltPrev != null && ltPrev.size() > 0) {
        for (String expectedPrev : ltPrev) {
            logger.debug("Expected Previleges.." + expectedPrev);
            if (ltUserPrivileges != null && ltUserPrivileges.contains(expectedPrev)) {
                logger.debug("Previlege Available.....................................................");
                allowed = true;
                break;
            }
        }
        Authentication authentication;
        try { // If the credentials to not match then an AuthenticationException is thrown.
            authentication = attemptAuthentication(user);

            // If successfully authenticated then pass the request to the success handler
            if (authentication.isAuthenticated())
                SecurityContextHolder.getContext().setAuthentication(authentication);

            logger.debug("successfull authentiation");
        } catch (AuthenticationException exception) {
            // Pass the request to authentication failure handler.
            logger.error("unsuccessfull authentication", exception);
            return;
        }

    } else {

        logger.debug("There is no user previleges  required for the URL , so 
      allow it");
        allowed = true;
        Authentication authentication;
        try { // If the credentials to not match then an 
            // AuthenticationException is thrown.
            authentication = attemptAuthentication(user);

            // If successfully authenticated then pass the request to the success handler
            if (authentication.isAuthenticated())
                SecurityContextHolder.getContext().setAuthentication(authentication);

            logger.debug("successfull authentiation");
        } catch (AuthenticationException exception) {
            // Pass the request to authentication failure handler.
            logger.error("unsuccessfull authentication", exception);
            return;
        }
    }

    if (!allowed) {
        logger.debug("*****************************User 
         AccessDenied******************************");
        // throw new PreAuthenticationUserNotFound("User Access Denied");
        // ((HttpServletResponse) 
        response).sendError(HttpServletResponse.SC_FORBIDDEN, "User Access 
       Denied");
        ((HttpServletResponse) response).setContentType("application/json");
        ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_FORBIDDEN);
        try {
            JSONObject json  = new JSONObject();
            json.put("msg", "User Access Denied");
            json.put("url", requestURI);
            ((HttpServletResponse) response).getOutputStream().println(json.toString());
        } catch (JSONException e) {
            logger.error("Error: ", e);
        }
        return;
    }

    /**
     * if(user.getUsername().equalsIgnoreCase("ypalrecha") &&
     * httpReq.getRequestURL().indexOf("framework/dag/dagWithParams")>=0){
     * logger.debug("*****************************User Access Denied******************************");
     * throw new PreAuthenticationUserNotFound("User Access Denied");
     * }
     **/
    /*
     * if(user){
     * throw new PreAuthenticationUserNotFound("Session not valid or expired");
     * }
     */

    // logger.debug("Request Session..."+r.getHeader("sessionId"));
    // logger.debug("Request Status..."+r.getHeader("status"));

    chain.doFilter(request, response);
}

Authentication attemptAuthentication(UserDetails user) throws AuthenticationException, IOException, ServletException {

    String username = user.getUsername();
    String password = user.getPassword();

    Authentication authentication = new UsernamePasswordAuthenticationToken(username, password, getAuthorities("Admin"));
    return authentication;
}

您有用户进一步的角色..

public List<String> getRoles(String role) {

    List<String> roles = new ArrayList<String>();
    if (role.trim().equalsIgnoreCase("Admin".trim())) {
        roles.add("ROLE_ADMIN");
    }

    if (role.trim().equalsIgnoreCase("User".trim())) {
        roles.add("ROLE_USER");
    }
    return roles;
}
于 2018-03-13T06:33:53.340 回答