访问受保护的URL时出现JAAS Forbidden Error(403)

时间:2015-01-31 03:29:06

标签: java-ee glassfish jaas

我刚开始在GlassFish服务器上使用JSF,JPA和EJB开展宠物项目,而我目前正在使用JAAS设置身份验证模块。它现在已经完成了,除了我无法找到解决方案的错误。

我的前提

我在数据库中有一个表用户,我在其中存储了所有电子邮件密码角色(暂时没有标准化)。我没有为团体提供任何条款。用户只需分配一个角色。

我的数据是:

username        |   role   |      password
mannyee            Member        (sha-256 value)  

我在GlassFish服务器中设置了JDBC领域(findRoomieRealm)。设置的属性有:

JAAS Context    :   jdbcRealm
JNDI        :   jdbc/sample
User Table  :   users
User Name Column:   email 
Password Column :   password
Group Table :   users
Group Name Column:  role
Password Encryption Algorithm:  SHA-256
Group Table User Name Column: (empty)

然后我在web.xml中设置以下内容

<welcome-file-list>
    <welcome-file>pages/user/dashboard.xhtml</welcome-file>
</welcome-file-list>

<!-- Protected area definition -->
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted Area</web-resource-name>
        <url-pattern>/pages/user/*</url-pattern> 
    </web-resource-collection>

    <auth-constraint>
        <role-name>MEMBER</role-name>
    </auth-constraint>
</security-constraint>


<!-- Login page -->
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>findRoomieRealm</realm-name>
    <form-login-config>
        <form-login-page>/faces/login.xhtml</form-login-page>
        <form-error-page>/faces/error.xhtml</form-error-page>
    </form-login-config>
</login-config>

<!-- System roles -->
<security-role>
 <role-name>ADMIN</role-name>
</security-role>
<security-role>
 <role-name>MEMBER</role-name>
</security-role>

我的问题:

当我尝试访问受保护的页面时,登录页面会拦截我可以成功登录系统的请求。我可以通过服务器生成的日志验证这一点:

Fine:   [Web-Security] Setting Policy Context ID: old = null ctxID = findRoomie/findRoomie
Fine:   [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/j_security_check" "POST")
Fine:   [Web-Security] hasUserDataPermission isGranted: true
Finest:   Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential 
Fine:   Logging in user [mannyee] into realm: findRoomieRealm using JAAS module: jdbcRealm
Fine:   Login module initialized: class com.sun.enterprise.security.ee.auth.login.JDBCLoginModule
Finest:   JDBC login succeeded for: mannyee groups:[Member]
Fine:   JAAS login complete.
Fine:   JAAS authentication committed.
Fine:   Password login succeeded for : mannyee
Fine:   Set security context as user: mannyee

但是我在请求的页面上(登录后立即)获得了Forbidden状态,并且在我获得的日志文件中:

Fine:   [Web-Security] Setting Policy Context ID: old = null ctxID = findRoomie/findRoomie
Fine:   [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "" "GET")
Fine:   [Web-Security] hasUserDataPermission isGranted: true
Fine:   [Web-Security] Policy Context ID was: findRoomie/findRoomie
Fine:   [Web-Security] Codesource with Web URL: file:/findRoomie/findRoomie
Fine:   [Web-Security] Checking Web Permission with Principals : null
Fine:   [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Finest:   JACC Policy Provider: PolicyWrapper.implies, context (findRoomie/findRoomie)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET"))
Fine:   [Web-Security] hasResource isGranted: false
Fine:   [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Fine:   [Web-Security] Policy Context ID was: findRoomie/findRoomie
Fine:   [Web-Security] Generating a protection domain for Permission check.
Fine:   [Web-Security] Checking with Principal : mannyee
Fine:   [Web-Security] Checking with Principal : Member
Fine:   [Web-Security] Codesource with Web URL: file:/findRoomie/findRoomie
Fine:   [Web-Security] Checking Web Permission with Principals : mannyee, Member
Fine:   [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Finest:   JACC Policy Provider: PolicyWrapper.implies, context (findRoomie/findRoomie)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET"))
Fine:   [Web-Security] hasResource isGranted: false

虽然具有成员角色的用户应该已获得访问权限,但服务器禁止来自用户mannyee的请求。所以我在glassfish-web.xml(sun-web.xml)

上设置了以下内容
<security-role-mapping>
    <role-name>Member</role-name>
    <principal-name>mannyee</principal-name>
    <!--        <group-name>Member</group-name>-->
  </security-role-mapping>

但我仍然无法让此用户访问该页面。我认为问题在于角色分配。 Sever日志显示GlassFish尝试通过同时使用&#39; mannyee&#39;和&#39;会员&#39;作为校长,但两者都失败了。还有一行说

    Fine:   [Web-Security] Checking Web Permission with Principals : null

我不太清楚这意味着什么。

任何人都可以指出我在这里缺少的东西吗?

谢谢!

1 个答案:

答案 0 :(得分:0)

经过一些修补配置后,我终于找到了解决方案。我对我的王国进行了以下更改

Assign Groups: ADMIN,MEMBER

然后在glassfish-web.xml中

<security-role-mapping>
    <role-name>MEMBER</role-name>
    <principal-name>MEMBER</principal-name>
    <group-name>MEMBER</group-name>
</security-role-mapping>

我还遇到了区分大小写的问题,我在表中将角色存储为成员,但在我的所有配置中都使用 MEMBER