我通过“security-constraint”保护我在web.xml中调用servlet的RESTFul服务。但是当我通过“security-constraint”保护它时,我不能从servlet调用这个服务,当我评论出来时,我的服务不再受到保护,我可以从客户端调用服务。请建议一种方法,我可以保护我的服务,仍然从servlet调用它。
服务战
ent_securityprefs_empService
-src
-com.xxxx.channel.employee.service
-Employee.java
-Employees.java
-EmployeeService.java
-com.xxxx.channel.employee.service.bean
-EmployeeBean.java
-WebContent
-WEB-INF
-beans.xml
-jboss-web.xml
-web.xml
-hello.jsp
Employee.java
@XmlRootElement
public class Employee {
private int empId;
private String empName;
private String empAddress;
public int getEmpId() {
return empId;
}
public void setEmpId(int empId) {
this.empId = empId;
}
public String getEmpName() {
return empName;
}
public void setEmpName(String empName) {
this.empName = empName;
}
public String getEmpAddress() {
return empAddress;
}
public void setEmpAddress(String empAddress) {
this.empAddress = empAddress;
}
}
Employees.java
@XmlRootElement
public class Employees {
private List<Employee> employee;
public List<Employee> getEmployee() {
return employee;
}
public void setEmployee(List<Employee> employee) {
this.employee = employee;
}
}
EmployeeService.java
@Produces({ "application/xml" })
@Path("/employee")
public class EmployeeService {
@Inject
private EmployeeBean empBean;
private TreeMap employeeMap = new TreeMap();
public EmployeeService(){
Employee employee1 = new Employee();
employee1.setEmpId(1111);
employee1.setEmpName("EmployeeOne");
employee1.setEmpAddress("San Antonio TX");
Employee employee2 = new Employee();
employee2.setEmpId(2222);
employee2.setEmpName("EmployeeTwo");
employee2.setEmpAddress("Dallas TX");
Employee employee3 = new Employee();
employee3.setEmpId(3333);
employee3.setEmpName("EmployeeThree");
employee3.setEmpAddress("Austin TX");
employeeMap.put(employee1.getEmpId(),employee1);
employeeMap.put(employee2.getEmpId(),employee2);
employeeMap.put(employee3.getEmpId(),employee3);
}
@GET
@Produces({ "application/xml" })
@Path("/allEmp")
public Employees getEmployees(){
List employees = new ArrayList();
employees.addAll(empBean.getEmployeeMap().values());
Employees allEmployees = new Employees();
allEmployees.setEmployee(employees);
return allEmployees;
}
@GET
@Path("/{id}")
public Employee getEmployee(@PathParam("id") int employeeId){
return (Employee) employeeMap.get(employeeId);
}
@POST
@Path("/addEmp")
@Produces({ "application/xml" })
public Employee addEmployee(@FormParam("employeeId")int id, @FormParam("employeeName")String name, @FormParam("employeeAddress")String address){
Employee employee = new Employee();
employee.setEmpId(id);
employee.setEmpName(name);
employee.setEmpAddress(address);
employeeMap.put(employee.getEmpId(), employee);
empBean.setEmployeeMap(employeeMap);
return employee;
}
}
EmployeeBean.java
@ApplicationScoped
public class EmployeeBean implements Serializable{
private TreeMap employeeMap;
public EmployeeBean(){
employeeMap = new TreeMap();
}
public TreeMap getEmployeeMap() {
return employeeMap;
}
public void setEmployeeMap(TreeMap employeeMap) {
this.employeeMap = employeeMap;
}
}
beans.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/beans_1_0.xsd">
<!-- An application that uses CDI must have a file named beans.xml.
The file can be completely empty (it has content only in certain
limited situations), but it must be present. -->
</beans>
jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/Employee</security-domain>
</jboss-web>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>ent_securityprefs_empService</display-name>
<welcome-file-list>
<welcome-file>hello.jsp</welcome-file>
</welcome-file-list>
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<servlet-mapping>
<servlet-name>javax.ws.rs.core.Application</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<!-- <security-constraint>
<web-resource-collection>
<web-resource-name>EmployeeChannel</web-resource-name>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint> -->
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
</web-app>
hello.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Employee Channel</title>
</head>
<body>
<a >Employee Record</a>
</body>
</html>
客户战争
ent_securityprefs_emp
-src
-EmployeeServlet.java
-WebContent
-WEB-INF
-jboss-deployment-structure.xml
-jboss-web.xml
-web.xml
-index.jsp
EmployeeServlet.java
@WebServlet("/EmployeeServlet")
public class EmployeeServlet extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
PrintWriter pw=res.getWriter();
res.setContentType("text/xml");
try{
//Initiate a client request using the url as a parameter
ClientRequest request = new ClientRequest("http://localhost:8080/ent_securityprefs_empService/rest/employee/1111");
request.accept("application/xml");
//To get the response based on the request
ClientResponse<String> response = request.get(String.class);
//Check the HTTP status of the request
//HTTP 200 indicates the request is OK
if(response.getStatus() != 200){
throw new RuntimeException("Failed request with HTTP status: "+response.getStatus());
}
//If we get a good response, now let's read it
BufferedReader br = new BufferedReader(new InputStreamReader(new ByteArrayInputStream(response.getEntity().getBytes())));
String output;
//Loop over the br in order to print out the contents
while((output = br.readLine()) != null){
pw.println(output);
}
} catch(ClientProtocolException cpe) {
System.err.println(cpe);
} catch(IOException ioe){
System.err.println(ioe);
} catch(Exception e){
System.err.println(e);
}
pw.close();
}
}
jboss-deployment-structure.xml
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="com.xxxx.channel"/>
</dependencies>
</deployment>
</jboss-deployment-structure>
:此模块包含所有必需的依赖项。 jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/Employee</security-domain>
</jboss-web>
的web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>ent_securityprefs_emp</display-name>
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<security-constraint>
<web-resource-collection>
<web-resource-name>EmployeeChannel</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
的index.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Employee Client</title>
</head>
<body>
<form action="EmployeeServlet">
<table>
<tr>
<input type="submit" value="Employee Record" />
</tr>
</table>
</form>
</body>
</html>
服务器配置文件
:我只是添加安全域部分以避免混淆。这是我的服务和客户端配置到的安全域。
独立-full.xml
<security-domain name="Employee" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url" value="ldap://ha-adds-global.xxxx.com:3268"/>
<module-option name="bindDN" value="CN=prodjbsvc,OU=ServiceAccounts,OU=NOPOL,dc=eagle,dc=xxxx,dc=com"/>
<module-option name="bindCredential" value="XQtU@1lc"/>
<module-option name="baseCtxDN" value="dc=eagle,dc=xxxx,dc=com"/>
<module-option name="baseFilter" value="(&(sAMAccountName={0})(memberOf=CN=XXXX ALL_CONTRACTORS,OU=GROUPS,OU=SMO,OU=COSAs,DC=eagle,DC=usaa,DC=com))"/>
<module-option name="rolesCtxDN" value="ou=COSAs,dc=eagle,dc=xxxx,dc=com"/>
<module-option name="roleFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleRecursion" value="-1"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="java.naming.referral" value="follow"/>
</login-module>
</authentication>
</security-domain>