我在jboss eap 6.1应用服务器中开发了一个基于Ejb的Web服务。 如果没有身份验证,此服务将按预期工作。 现在,我已按照我执行的步骤为此Web服务添加了基本的身份验证机制:
我通过以下方式注释了我的ejb(它实现了ws):
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Stateless;
import javax.jws.WebService;
import org.jboss.ejb3.annotation.SecurityDomain;
import org.jboss.ws.api.annotation.WebContext;
@Stateless
@WebService(name = "HelloWorldWS", targetNamespace="http://my-company/ws/")
@WebContext(authMethod = "BASIC", contextRoot = "helloWS", urlPattern ="/*")
@SecurityDomain("helloworld-webservice-login")
public class HelloWorldWebService implements HelloWorldWebServiceRemote {
@RolesAllowed({"mioruolo"})
public String sayHello() {
return "Hello World";
}
}
并且,据此,我在standalone.xml文件中添加了helloworld-webservice-login安全域,如下所示:
<security-domain name="helloworld-webservice-login">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/>
<module-option name="principalsQuery" value="select password from s_principals where principal_id=?"/>
<module-option name="rolesQuery" value="select role, 'Roles' from s_roles where principal_id=?"/>
</login-module>
</authentication>
</security-domain>
所以,我希望,只有名为“mioruolo”的角色的用户才能访问网络服务。 我在我的oracle 10g数据库中添加了表s_roles和s_principals,并且我已经在Toad窗口中执行了xml文件中的两个查询,并且这两个查询都按预期工作。
我使用jax-ws生成的客户端来调用此Web服务,并在客户端以下列方式传递HTTP头中的凭据:
bindingProvider.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "federico");
bindingProvider.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "passwd");
我得到的响应始终是403禁止状态代码。 我检查了jboss日志文件,我播下了以下几行:
14:50:40,693 DEBUG [org.apache.catalina.authenticator] (http-/127.0.0.1:8080-1) Security checking request POST /helloWS
14:50:40,694 DEBUG [org.apache.catalina.realm] (http-/127.0.0.1:8080-1) Checking constraint 'SecurityConstraint[HelloWorldWebService]' against POST / --> true
14:50:40,709 DEBUG [org.apache.catalina.realm] (http-/127.0.0.1:8080-1) Checking constraint 'SecurityConstraint[HelloWorldWebService]' against POST / --> true
14:50:40,709 DEBUG [org.apache.catalina.authenticator] (http-/127.0.0.1:8080-1) Calling hasUserDataPermission()
14:50:40,709 DEBUG [org.apache.catalina.realm] (http-/127.0.0.1:8080-1) User data constraint has no restrictions
14:50:40,710 DEBUG [org.apache.catalina.authenticator] (http-/127.0.0.1:8080-1) Calling authenticate()
14:50:41,287 DEBUG [org.apache.catalina.authenticator] (http-/127.0.0.1:8080-1) Authenticated 'federico' with type 'BASIC'
14:50:41,288 DEBUG [org.apache.catalina.authenticator] (http-/127.0.0.1:8080-1) Calling accessControl()
14:50:41,288 DEBUG [org.apache.catalina.realm] (http-/127.0.0.1:8080-1) Checking roles GenericPrincipal[federico(mioruolo,)]
14:50:41,321 DEBUG [org.apache.catalina.authenticator] (http-/127.0.0.1:8080-1) Failed accessControl() test
因此,身份验证正常,但授权(我认为检查“federico”用户是否具有“mioruolo”角色)失败,我无法弄清楚原因,因为查询是在Toad客户端执行的执行没有问题。
有关此错误的任何想法? 任何帮助都将非常感激。
非常感谢
问候
答案 0 :(得分:0)
您必须在HelloWorldWebService中声明角色:
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Stateless;
import javax.jws.WebService;
import org.jboss.ejb3.annotation.SecurityDomain;
import org.jboss.ws.api.annotation.WebContext;
@Stateless
@WebService(name = "HelloWorldWS", targetNamespace="http://my-company/ws/")
@WebContext(authMethod = "BASIC", contextRoot = "helloWS", urlPattern ="/*")
@SecurityDomain("helloworld-webservice-login")
@javax.annotation.security.DeclareRoles.DeclareRoles({"mioruolo"})
public class HelloWorldWebService implements HelloWorldWebServiceRemote {
@RolesAllowed({"mioruolo"})
public String sayHello() {
return "Hello World";
}
}