我正在构建一个单独的admincenter工具,需要管理员角色才能访问。如何在web.xml的身份验证约束中指定它。
我在下面试过,它无法正常工作
<security-constraint>
<web-resource-collection>
<web-resource-name>commonlogin-secure-resources</web-resource-name>
<url-pattern>/rest/readyToLand</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test</role-name>
<role-name>Administrator</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
在server.xml
<basicRegistry>
<user name="admin" password="adminPassword"/>
</basicRegistry>
<administrator-role>
<user>admin</user>
</administrator-role>
登录后如果我尝试访问此网址,则表示我无权访问该网址。我需要在某处做绑定吗?
将IBM-Authorization-Roles: com.ibm.ws.management添加到MANIFEST.MF后,我可以使用admin角色访问它,但不能使用test角色访问它。配置有什么问题。如何在osgi包中进行角色映射?
答案 0 :(得分:1)
在web.xml添加额外角色allAuthenticatedUsers以允许他们与管理员用户一起使用。在ibm文档中没有找到关于OSGI bundle安全性的更多信息。但它奏效了。
<security-constraint>
<web-resource-collection>
<url-pattern>/rest/readyToLand</url-pattern>
<url-pattern>/LoginSuccess.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Administrator</role-name>
<role-name>allAuthenticatedUsers</role-name>
</auth-constraint>
</security-constraint>
<security-role id="SecurityRole_1">
<description>Administrator role</description>
<role-name>Administrator</role-name>
</security-role>
<security-role id="SecurityRole_2">
<description>Any Role</description>
<role-name>allAuthenticatedUsers</role-name>
</security-role>
我想我不需要<role-name>Administrator</role-name>。但request.isUserInRole('Administrator')无论如何都是真实的。
<强>更新
任何一种情况我无法识别具有上述配置的应用程序中的管理员,测试用户。使用IBM-Authorization-Roles: com.ibm.ws.management时,只能识别出管理员 - request.isUserInRole('Administrator')可以使用。但即使用户使用该测试角色登录,也不是request.isUserInRole('test')。能够访问该URL。
这很奇怪 - 它允许访问但是当我检查角色是什么时,它不起作用。看起来IBM中存在一个问题 - Liberty代码(17.0.0.4)。但不确定。
答案 1 :(得分:0)
我使用spring security实现了相同的功能。 假设您有应用程序,并且您有不同的用户 角色让你可以通过弹簧安全来实现。使用弹簧安全是 保护您申请的最佳方式。
1.在Web.xml中添加条目
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<强> 2。然后将您想要限制的网址添加到用户 / framework / something /由admin执行 / framework / something / doAction by user在Spring-security.xml中添加条目
<security:http use-expressions="true" auto-config="false"
entry-point-ref="http403EntryPoint" pattern="/framework/something/doAction"
create-session="stateless">
<security:csrf disabled="true" />
<security:custom-filter position="PRE_AUTH_FILTER"
ref="authorizationGlobalFilterBean" />
</security:http>
3.AuthorizationGlobalFilterBean将按角色过滤用户..你可以把 你的验证在这里。
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
logger.debug("Authorization Filter Called#########################################################");
// logger.debug("sessionServiceImpl..."+sessionServiceImpl);
// logger.debug("iUserDao..."+iUserDao);
HttpServletRequest httpReq = (HttpServletRequest) request;
// logger.debug("http Request URL.."+httpReq.getRequestURL());
HttpServletRequest r = (HttpServletRequest) request;
String sessionObjId = getSessionIdFromHeader(r);
// check session
boolean isSessionExpired = checkSessionExpired(sessionObjId);
if (isSessionExpired) {
HttpServletResponse resp = (HttpServletResponse) response;
resp.addHeader("sessionId", "");
resp.addHeader("status", "false");
resp.addHeader("message", "Session Expired");
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Session Expired");
return;
}
// CustomUserDetailsService cs = new CustomUserDetailsService();
UserDetails user = loadUserByUsername(sessionObjId);
if (user == null) {
HttpServletResponse resp = (HttpServletResponse) response;
resp.addHeader("sessionId", "");
resp.addHeader("status", "false");
resp.addHeader("message", "User Not Found");
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User Not Found");
return;
}
// logger.debug("user..."+user);
logger.debug("user name.." + user.getUsername());
logger.debug("user name.." + user.getUsername());
List<String> ltUserPrivileges = userServiceImpl.findUserPrivilege(user.getUsername());
logger.debug("ltUserPrivileges..." + ltUserPrivileges);
String requestURI = httpReq.getRequestURI();
// String requestURL = httpReq.getRequestURL().toString();
String contextPath = httpReq.getContextPath();
String queryString = httpReq.getQueryString();
// String port = httpReq.getServerPort()+"";
// logger.debug("request URL..."+httpReq.getRequestURL());
// logger.debug("requestURI..."+requestURI);
// logger.debug("contextPath..."+contextPath);
// logger.debug("queryString..."+queryString);
int i = 0;
if ((i = requestURI.indexOf(contextPath)) >= 0) {
// logger.debug("removing context from path.."+i);
requestURI = requestURI.substring(i + contextPath.length());
// logger.debug("new requestURI.."+requestURI);
}
if (queryString != null && queryString.trim().length() > 0) {
requestURI = requestURI + "?" + queryString;
}
logger.debug("Final requestURI.." + requestURI);
/*
* if( (i=requestURL.indexOf(port))>=0){
* logger.debug("removing port from path.."+i);
* requestURL = requestURL.substring(i+port.length());
* logger.debug("new requestURL.."+requestURL);
* }
*/
List<String> ltPrev = getMatchingUrlPrivileges(requestURI,request);
boolean allowed = false;
if (ltPrev != null && ltPrev.size() > 0) {
for (String expectedPrev : ltPrev) {
logger.debug("Expected Previleges.." + expectedPrev);
if (ltUserPrivileges != null && ltUserPrivileges.contains(expectedPrev)) {
logger.debug("Previlege Available.....................................................");
allowed = true;
break;
}
}
Authentication authentication;
try { // If the credentials to not match then an AuthenticationException is thrown.
authentication = attemptAuthentication(user);
// If successfully authenticated then pass the request to the success handler
if (authentication.isAuthenticated())
SecurityContextHolder.getContext().setAuthentication(authentication);
logger.debug("successfull authentiation");
} catch (AuthenticationException exception) {
// Pass the request to authentication failure handler.
logger.error("unsuccessfull authentication", exception);
return;
}
} else {
logger.debug("There is no user previleges required for the URL , so
allow it");
allowed = true;
Authentication authentication;
try { // If the credentials to not match then an
// AuthenticationException is thrown.
authentication = attemptAuthentication(user);
// If successfully authenticated then pass the request to the success handler
if (authentication.isAuthenticated())
SecurityContextHolder.getContext().setAuthentication(authentication);
logger.debug("successfull authentiation");
} catch (AuthenticationException exception) {
// Pass the request to authentication failure handler.
logger.error("unsuccessfull authentication", exception);
return;
}
}
if (!allowed) {
logger.debug("*****************************User
AccessDenied******************************");
// throw new PreAuthenticationUserNotFound("User Access Denied");
// ((HttpServletResponse)
response).sendError(HttpServletResponse.SC_FORBIDDEN, "User Access
Denied");
((HttpServletResponse) response).setContentType("application/json");
((HttpServletResponse) response).setStatus(HttpServletResponse.SC_FORBIDDEN);
try {
JSONObject json = new JSONObject();
json.put("msg", "User Access Denied");
json.put("url", requestURI);
((HttpServletResponse) response).getOutputStream().println(json.toString());
} catch (JSONException e) {
logger.error("Error: ", e);
}
return;
}
/**
* if(user.getUsername().equalsIgnoreCase("ypalrecha") &&
* httpReq.getRequestURL().indexOf("framework/dag/dagWithParams")>=0){
* logger.debug("*****************************User Access Denied******************************");
* throw new PreAuthenticationUserNotFound("User Access Denied");
* }
**/
/*
* if(user){
* throw new PreAuthenticationUserNotFound("Session not valid or expired");
* }
*/
// logger.debug("Request Session..."+r.getHeader("sessionId"));
// logger.debug("Request Status..."+r.getHeader("status"));
chain.doFilter(request, response);
}
Authentication attemptAuthentication(UserDetails user) throws AuthenticationException, IOException, ServletException {
String username = user.getUsername();
String password = user.getPassword();
Authentication authentication = new UsernamePasswordAuthenticationToken(username, password, getAuthorities("Admin"));
return authentication;
}
你有进一步的角色..
public List<String> getRoles(String role) {
List<String> roles = new ArrayList<String>();
if (role.trim().equalsIgnoreCase("Admin".trim())) {
roles.add("ROLE_ADMIN");
}
if (role.trim().equalsIgnoreCase("User".trim())) {
roles.add("ROLE_USER");
}
return roles;
}