我正在将一些遗留应用程序从 Jboss AS 6 迁移到 Wildfly。由于不推荐使用旧的(纠察队)安全系统,我想切换到使用 elytron。我遵循了快速入门示例,我认为我的配置设置正确,但是在迁移我的实际代码时遇到了问题。
有时我们希望直接授权用户,而不是依赖来自客户端或 servlet 的调用。这在我们想要测试需要特定权限的 ejb 方法的集成测试中尤其重要。目前,我进行手动授权的登录方法如下所示:
public boolean login(String domain, Credentials credentials)
{
try
{
lc = new javax.security.auth.login.LoginContext(domain,
new PassiveCallbackHandler(credentials.getUsername(), credentials.getPassword()));
lc.login();
Subject subject = lc.getSubject();
pushSubjectContext(credentials.getUsername(), credentials.getPassword());
if (sessionActivityService != null)
{
sessionActivityId = sessionActivityService.activateSession(applicationName, "127.0.0.1");
}
return true;
}
catch (LoginException e)
{
e.printStackTrace();
return false;
}
}
当我尝试使用 elytron 子系统中定义的安全域调用该方法时,它失败了。通过代码进行调试,我可以看到 LoginContext 没有看到来自 elytron 的任何安全域。只有遗留 (jboss.as:security) 域是可见的,所以它默认为“其他”的安全域。
有什么办法可以用 elytron 做我想做的事吗?
仅供参考,以下是我的配置中的一些片段:
独立的.xml:
<subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<security-domains>
...
<security-domain name="TestOptics" default-realm="testRealm" permission-mapper="default-permission-mapper">
<realm name="testRealm" role-decoder="groups-to-roles"/>
</security-domain>
</security-domains>
<security-realms>
<identity-realm name="local" identity="$local"/>
<jdbc-realm name="testRealm">
<principal-query sql="SELECT password FROM	persons WHERE username=?" data-source="TestOpticsDS">
<clear-password-mapper password-index="1"/>
</principal-query>
<principal-query sql="select roles.name,'Roles' from persons join persons_to_roles on persons_to_roles.person_id=persons.id join roles on roles.id=persons_to_roles.role_id where persons.username=? and persons.enabled=1 and persons.password is not null union select 'authenticated','Roles'" data-source="OpticsDS">
<attribute-mapping>
<attribute to="Roles" index="1"/>
</attribute-mapping>
</principal-query>
</jdbc-realm>
...
</security-realms>
...
<http>
...
<http-authentication-factory name="test-http-auth" security-domain="TestOptics" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="testRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<provider-http-server-mechanism-factory name="global"/>
</http>
<sasl>
...
<sasl-authentication-factory name="test-app-sasl-auth" sasl-server-factory="configured" security-domain="TestOptics">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="testRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
...
</sasl>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:6.0">
...
<default-security-domain value="other"/>
<application-security-domains>
<application-security-domain name="TestOptics" security-domain="TestOptics"/>
</application-security-domains>
<default-missing-method-permissions-deny-access value="true"/>
<statistics enabled="${wildfly.ejb3.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<log-system-exceptions value="true"/>
</subsystem>
jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web>
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/schema/jbossas/jboss-web_14_0.xsd" version="14.0">
<!-- <context-root>person/test</context-root> -->
<security-domain>TestOptics</security-domain>
</jboss-web>
网页.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>TestOptics</realm-name>
</login-config>
</web-app>