3

如果此人具有特定角色并且他们与 JIRA 中的特定组相关联,我有一个可以调用的方法。由于 JIRA 中的组是动态的,因此我不能为每个 JIRA 组分配一个角色。

@DeclareRoles({
  FileServerRoles.FILE_ADDER,
  FileServerRoles.FILE_ADDER_ALL,
  FileServerRoles.FILE_VIEWER,
  FileServerRoles.FILE_VIEWER_ALL})
public final class FileServerRoles {

  /**
   * A user that can add files to the system.
   */
  public static final String FILE_ADDER = "file-adder";
  /**
   * A user that can add any files to the system.
   */
  public static final String FILE_ADDER_ALL = "file-adder-all";
  /**
   * A user that can view files in the system.
   */
  public static final String FILE_VIEWER = "file-viewer";
  /**
   * A user that can view all files in the system.
   */
  public static final String FILE_VIEWER_ALL = "file-viewer-all";
}

我使用 . 声明所有角色@DeclareRoles

@Decorator
public class FileServerServiceProjectAuthorizationDecorator implements FileServerService {

  private static Logger LOGGER = LoggerFactory.getLogger(FileServerServiceProjectAuthorizationDecorator.class);
  @Inject
  @Delegate
  @Any
  FileServerService delagate;
  @Inject
  @CurrentUser
  Set<JiraProjectReference> currentUserProjectReferences;
  @Resource
  SessionContext sessionContext;

  void verifyProjectKey(final String projectKey) {
    for (final JiraProjectReference projectReference : currentUserProjectReferences) {
      if (projectReference.getKey().equalsIgnoreCase(projectKey)) {
        return;
      }
    }
    throw new IllegalArgumentException("user not in the project");
  }

  @RolesAllowed({FileServerRoles.FILE_ADDER, FileServerRoles.FILE_ADDER_ALL})
  @Override
  public FileAddStatus addFileToRepository(final String projectKey, final String issueKey, final String fileName, final String mimeType, final File file) {
    if (!sessionContext.isCallerInRole(FileServerRoles.FILE_ADDER_ALL)) {
      verifyProjectKey(projectKey);
    }
    return delagate.addFileToRepository(projectKey, issueKey, fileName, mimeType, file);
  }

  @RolesAllowed({FileServerRoles.FILE_VIEWER, FileServerRoles.FILE_VIEWER_ALL})
  @Override
  public FileDescriptor retrieveFileFromRepository(final String projectKey, final String issueKey, final UUID uuid, final String fileName) {
    if (!sessionContext.isCallerInRole(FileServerRoles.FILE_VIEWER_ALL)) {
      verifyProjectKey(projectKey);
    }

    return delagate.retrieveFileFromRepository(projectKey, issueKey, uuid, fileName);
  }
}

!sessionContext.isCallerInRole(FileServerRoles.FILE_VIEWER_ALL)总是抛出IllegalStateException

Caused by: java.lang.IllegalStateException: No mapping available for role reference file-viewer-all
        at com.sun.ejb.containers.EJBContextImpl.isCallerInRole(EJBContextImpl.java:458)
        at edu.wvu.esd.swordfish.web.service.FileServerServiceProjectAuthorizationDecorator.retrieveFileFromRepository(FileServerServiceProjectAuthorizationDecorator.java:59)
        ... 89 more

@RolesAllowed. 我还尝试将角色声明移动到 web.xml 中。谷歌上没有很多关于错误的引用。

有人见过这个吗?你的解决方案是什么?

4

1 回答 1

3

在 GlassFish 3.1 的 EJB 中调用 isCallerInRole(roleName) 方法时,我收到了相同的“没有可用于角色引用的映射”错误。为我解决的问题是将适当的 @DeclareRoles 注释添加到我的 EJB 中。如果传递给 isCallerInRole 的角色名称不在 @DeclareRoles 中,则会引发 IllegalStateException。我不确定装饰器中的安全性如何工作,但@DeclareRoles 对我来说是关键。

这是一个简单的例子:

@Stateless
@LocalBean
@DeclareRoles({"user", "admin"})
public class ExampleEJB {
    @Resource
    private SessionContext sessionContext;

    public boolean isUserInRole(String roleName) {
        return sessionContext.isCallerInRole(roleName);
    }
}
于 2012-02-15T21:14:40.597 回答