我刚开始在GlassFish服务器上使用JSF,JPA和EJB开展宠物项目,而我目前正在使用JAAS设置身份验证模块。它现在已经完成了,除了我无法找到解决方案的错误。
我的前提
我在数据库中有一个表用户,我在其中存储了所有电子邮件,密码和角色(暂时没有标准化)。我没有为团体提供任何条款。用户只需分配一个角色。
我的数据是:
username | role | password
mannyee Member (sha-256 value)
我在GlassFish服务器中设置了JDBC领域(findRoomieRealm)。设置的属性有:
JAAS Context : jdbcRealm
JNDI : jdbc/sample
User Table : users
User Name Column: email
Password Column : password
Group Table : users
Group Name Column: role
Password Encryption Algorithm: SHA-256
Group Table User Name Column: (empty)
然后我在web.xml中设置以下内容
<welcome-file-list>
<welcome-file>pages/user/dashboard.xhtml</welcome-file>
</welcome-file-list>
<!-- Protected area definition -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Area</web-resource-name>
<url-pattern>/pages/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>MEMBER</role-name>
</auth-constraint>
</security-constraint>
<!-- Login page -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>findRoomieRealm</realm-name>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/error.xhtml</form-error-page>
</form-login-config>
</login-config>
<!-- System roles -->
<security-role>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<role-name>MEMBER</role-name>
</security-role>
我的问题:
当我尝试访问受保护的页面时,登录页面会拦截我可以成功登录系统的请求。我可以通过服务器生成的日志验证这一点:
Fine: [Web-Security] Setting Policy Context ID: old = null ctxID = findRoomie/findRoomie
Fine: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/j_security_check" "POST")
Fine: [Web-Security] hasUserDataPermission isGranted: true
Finest: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
Fine: Logging in user [mannyee] into realm: findRoomieRealm using JAAS module: jdbcRealm
Fine: Login module initialized: class com.sun.enterprise.security.ee.auth.login.JDBCLoginModule
Finest: JDBC login succeeded for: mannyee groups:[Member]
Fine: JAAS login complete.
Fine: JAAS authentication committed.
Fine: Password login succeeded for : mannyee
Fine: Set security context as user: mannyee
但是我在请求的页面上(登录后立即)获得了Forbidden状态,并且在我获得的日志文件中:
Fine: [Web-Security] Setting Policy Context ID: old = null ctxID = findRoomie/findRoomie
Fine: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "" "GET")
Fine: [Web-Security] hasUserDataPermission isGranted: true
Fine: [Web-Security] Policy Context ID was: findRoomie/findRoomie
Fine: [Web-Security] Codesource with Web URL: file:/findRoomie/findRoomie
Fine: [Web-Security] Checking Web Permission with Principals : null
Fine: [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Finest: JACC Policy Provider: PolicyWrapper.implies, context (findRoomie/findRoomie)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET"))
Fine: [Web-Security] hasResource isGranted: false
Fine: [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Fine: [Web-Security] Policy Context ID was: findRoomie/findRoomie
Fine: [Web-Security] Generating a protection domain for Permission check.
Fine: [Web-Security] Checking with Principal : mannyee
Fine: [Web-Security] Checking with Principal : Member
Fine: [Web-Security] Codesource with Web URL: file:/findRoomie/findRoomie
Fine: [Web-Security] Checking Web Permission with Principals : mannyee, Member
Fine: [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Finest: JACC Policy Provider: PolicyWrapper.implies, context (findRoomie/findRoomie)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET"))
Fine: [Web-Security] hasResource isGranted: false
虽然具有成员角色的用户应该已获得访问权限,但服务器禁止来自用户mannyee的请求。所以我在glassfish-web.xml(sun-web.xml)
上设置了以下内容<security-role-mapping>
<role-name>Member</role-name>
<principal-name>mannyee</principal-name>
<!-- <group-name>Member</group-name>-->
</security-role-mapping>
但我仍然无法让此用户访问该页面。我认为问题在于角色分配。 Sever日志显示GlassFish尝试通过同时使用&#39; mannyee&#39;和&#39;会员&#39;作为校长,但两者都失败了。还有一行说
Fine: [Web-Security] Checking Web Permission with Principals : null
我不太清楚这意味着什么。
任何人都可以指出我在这里缺少的东西吗?
谢谢!
答案 0 :(得分:0)
经过一些修补配置后,我终于找到了解决方案。我对我的王国进行了以下更改
Assign Groups: ADMIN,MEMBER
然后在glassfish-web.xml中
<security-role-mapping>
<role-name>MEMBER</role-name>
<principal-name>MEMBER</principal-name>
<group-name>MEMBER</group-name>
</security-role-mapping>
我还遇到了区分大小写的问题,我在表中将角色存储为成员,但在我的所有配置中都使用 MEMBER 。