1

我想知道是否有更好的方法(无需反射)来获取特定 URL 和角色的 java.security.Permissions。

例如:

 boolean canAccess = SecurityController.isAllowedToAccessUrl("/pages/confirmOrders.action", Collections.singletonList(new UserPrincipal("Dave")));

将使用以下约束(web.xml):

<security-constraint>
 <web-resource-collection>
   <web-resource-name></web-resource-name>
   <url-pattern>/pages/confirmOrders.action</url-pattern>
 </web-resource-collection>
 <auth-constraint>
   <role-name>Dave</role-name>
 </auth-constraint>

我在下面写的代码效果很好。我不喜欢的是我必须使用反射从 DelegatingPolicy.getInstance() 调用 getContextPolicy 并从 ContextPolicy 调用 getPermissionsForRole。

import org.jboss.security.jacc.ContextPolicy;
import org.jboss.security.jacc.DelegatingPolicy;

import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.Permissions;
import java.security.Principal;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;

public class SecurityController {
  private static final Logger LOG  = Logger.getLogger(SecurityController.class.getName());

  static boolean isAllowedToAccessUrl(final String url, final List<Principal> principalRoles) {
    initializeConfigurationInService();

    boolean result = false;
    for (Principal principalRole : principalRoles) {
      try{
        final ContextPolicy contextPolicy = getContextPolicy();
        final Permissions permissions = getPermissionsFromContextPolicy(contextPolicy, principalRole.getName());
        result |= permissions.implies(new WebResourcePermission(url, new String[] {"GET","POST"}));
      }catch (Exception e){
        LOG.log(Level.SEVERE, "checkAllowed failed checking if : ", e);
      }
    }
    return result;
  }

  private static void initializeConfigurationInService() {
    try {
      final PolicyConfigurationFactory policyConfigurationFactory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
      policyConfigurationFactory.getPolicyConfiguration(PolicyContext.getContextID(), false);
    } catch (PolicyContextException | ClassNotFoundException e) {
      LOG.log(Level.INFO, "initializeConfigurationInService", e);
    }
  }

  private static Permissions getPermissionsFromContextPolicy(ContextPolicy contextPolicy, String loginName) throws NoSuchMethodException, IllegalAccessException, InvocationTargetException {
    final Method getPermissionsForRole = contextPolicy.getClass().getDeclaredMethod("getPermissionsForRole", String.class);
    getPermissionsForRole.setAccessible(true);
    return (Permissions) getPermissionsForRole.invoke(contextPolicy, loginName);
  }


  private static ContextPolicy getContextPolicy() throws NoSuchMethodException, IllegalAccessException, InvocationTargetException {
    final DelegatingPolicy delegatingPolicy = DelegatingPolicy.getInstance();
    final Method getContextPolicy = delegatingPolicy.getClass().getDeclaredMethod("getContextPolicy", String.class);
    getContextPolicy.setAccessible(true);
    return (ContextPolicy) getContextPolicy.invoke(delegatingPolicy, PolicyContext.getContextID());
  }
}

以编程方式从 web.xml 中读取了检索安全约束,但发现它不是很有用。

任何意见,想法都非常欢迎。谢谢!

4

2 回答 2

2

Java EE 8 中提供了一种类似的标准方法来执行“isAllowedToAccessUrl”函数。

boolean hasAccessToWebResource(String resource, String... methods)

根据 Servlet 规范第 13.8 节的规定,检查调用者是否可以使用给定的方法访问提供的“网络资源”。如果 Web 资源不受保护(约束),或者当它受角色保护并且调用者处于该角色中时,调用者具有访问权限。

请参阅:SecurityContext#hasAccessToWebResource

于 2019-03-30T16:21:18.427 回答
1

感谢Uux的评论,我能够缩短我的代码并摆脱使用反射。我现在可以验证是否允许特定角色访问我的代码中的特定 URL。

下面的可行代码:

import javax.security.jacc.WebResourcePermission;
import java.security.CodeSource;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;

public class SecurityController {
  private static final Logger LOG = Logger.getLogger(SecurityController.class.getName());

  static boolean isAllowedToAccessUrl(final String url, final List<Principal> principalRoles) {
    try {
      final CodeSource codesource = new CodeSource(null, (Certificate[]) null);
      final Principal[] principals = principalRoles.toArray(new Principal[0]);
      final ProtectionDomain domain = new ProtectionDomain(codesource, null, null, principals);
      return Policy.getPolicy().implies(domain, (new WebResourcePermission(url, new String[] {"GET", "POST"})));
    } catch (Exception e) {
      LOG.log(Level.SEVERE, "checkAllowed failed checking if : ", e);
    }
    return false;
  }
}
于 2018-08-03T12:43:20.627 回答