@RolesAllowed和@HttpConstraint(rolesAllowed)注释被忽略,JSP中的isUserInRole总是为false

时间:2018-03-17 20:07:12

标签: java-ee glassfish-4 java-security payara

我在Payara 4.1 / GlassFish 4.1中遇到RolesAllowed / HttpConstraint时出现问题。我正在使用捆绑在EAR中的EJB和Web模块的应用程序。我用@RolesAllowed和@HttpConstraint注释了几个Servlet,但它们似乎被忽略了。

我已经创建了4个Servlet,我基本上循环遍历RolesAllowedHttpConstraint。前两个使用servlet有DeclareRoles,最后两个没有。 前两个servlet继承ServletBase,继承HttpServlet,而后两个直接继承HttpServlet

所有四个servlet的输出都是相同的。我被要求登录,然后是以下内容:

Role 1  No  Yes     true
Role 2  No  No      false
System Administrator    No  No      false

据我所知,request.isUserInRole在servlet中按预期运行,但在JSP中没有。我登录的用户具有角色1。

我不知道我在哪里出错了。我可以使用带有安全性约束的web.xml来完成工作,但注释会让我的生活更轻松。

我也不确定为什么对HttpServletRequest#isUserInRole的调用在JSP中失败但在servlet中按预期工作。它在servlet中工作是令人鼓舞的,因为它应该表明我正确地设置了我的JDBC领域。那,因为我可以验证罚款。

我不知道从哪里开始。

DebugServlet.java

@WebServlet("/Debug")
public class DebugServlet extends HttpServlet
{

  /**
   * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
   */
  protected void doGet(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException
  {
    // TODO Auto-generated method stub
    Gson gson = new Gson();
    response.getWriter().append(gson.toJson(request.getUserPrincipal()));
    response.getWriter().append(" ");
    response.getWriter().append(gson.toJson(request.isUserInRole("sysAdmin")));
    response.getWriter().append(" ");
    response.getWriter().append(gson.toJson(request.isUserInRole("role1")));
    response.getWriter().append(" ");
    response.getWriter().append(gson.toJson(request.isUserInRole("role2")));
  }
}

/调试

{"password":["p","a","s","s","w","o","r","d"],"useCertificate":false,"secCtx":{"SERVER_GENERATED_SECURITY_CONTEXT":false,"initiator":{"name":"username"},"subject":{"principals":[{"name":"username"},{"name":"Role 1"}],"readOnly":false}},"name":"username"} false true false

DebugServlet2.java

@WebServlet("/Debug2")
@RolesAllowed({"sysAdmin"})
@DeclareRoles({"sysAdmin", "role1", "role2"})
public class Debug2 extends ServletBase
{
  /**
   * Default constructor.
   */
  public Debug2()
  {
    // TODO Auto-generated constructor stub
  }

  /**
   * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
   */
  protected void doGet(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException
  {
    request.setAttribute("isRole1", request.isUserInRole("role1"));
    request.setAttribute("isRole2", request.isUserInRole("role2"));
    request.setAttribute("isSysAdmin", request.isUserInRole("sysAdmin"));

    request.getRequestDispatcher("/WEB-INF/debug/index.jsp").forward(request, response);
  }
}

/WEB-INF/debug/index.jsp

<body>
    <table>
        <tr>
            <td>Role 1</td>
            <td><c:choose>
                    <c:when test="${request.isUserInRole('role1') == true }">Yes</c:when>
                    <c:otherwise>No</c:otherwise>
                </c:choose></td>
            <td><c:choose>
                    <c:when test="${isRole1== true }">Yes</c:when>
                    <c:otherwise>No</c:otherwise>
                </c:choose></td>
            <td>${request.isUserInRole('role1') }</td>
            <td>${isRole1 }</td>
        </tr>
        <tr>
            <td>Role 2</td>
            <td><c:choose>
                    <c:when
                        test="${request.isUserInRole('role2')== true }">Yes</c:when>
                    <c:otherwise>No</c:otherwise>
                </c:choose></td>
            <td><c:choose>
                    <c:when test="${isRole2 == true}">Yes</c:when>
                    <c:otherwise>No</c:otherwise>
                </c:choose></td>
            <td>${request.isUserInRole('role2') }</td>
            <td>${isRole2 }</td>
        </tr>
        <tr>
            <td>System Administrator</td>
            <td><c:choose>
                    <c:when test="${request.isUserInRole('sysAdmin')== true }">Yes</c:when>
                    <c:otherwise>No</c:otherwise>
                </c:choose></td>
            <td><c:choose>
                    <c:when test="${isSysAdmin == true}">Yes</c:when>
                    <c:otherwise>No</c:otherwise>
                </c:choose></td>
            <td>${request.isUserInRole('sysAdmin') }</td>
            <td>${isSysAdmin }</td>
        </tr>
    </table>
</body>

的glassfish-web.xml中

<glassfish-web-app>
    <context-root>/slam-web</context-root>
    <security-role-mapping>
        <role-name>role2</role-name> <!-- GlassFish Name -->
        <group-name>Role 2</group-name> <!-- DB Name -->
    </security-role-mapping>
    <security-role-mapping>
        <role-name>role1</role-name> <!-- GlassFish Name -->
        <group-name>Role 1</group-name> <!-- DB Name -->
    </security-role-mapping>
    <security-role-mapping>
        <role-name>sysAdmin</role-name> <!-- GlassFish Name -->
        <group-name>System Administrator</group-name> <!-- DB Name -->
    </security-role-mapping>
</glassfish-web-app>

的web.xml

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" metadata-complete="false" version="3.1">
  <display-name>app-web</display-name>
  <welcome-file-list>
    <welcome-file>Debug</welcome-file>
  </welcome-file-list>
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>app-secure</realm-name>
    <form-login-config>
      <form-login-page>/Login</form-login-page>
      <form-error-page>/401.jsp</form-error-page>
    </form-login-config>
  </login-config>
  <security-role>
    <role-name>role1</role-name>
  </security-role>
  <security-role>
    <role-name>role2</role-name>
  </security-role>
  <security-role>
    <role-name>sysAdmin</role-name>
  </security-role>
  <security-constraint>
    <display-name>Everyone</display-name>
    <web-resource-collection>
      <web-resource-name>resources</web-resource-name>
      <description></description>
      <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>role1</role-name>
      <role-name>role2</role-name>
      <role-name>sysAdmin</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <security-constraint>
    <display-name>Allow JS and CSS</display-name>
    <web-resource-collection>
      <web-resource-name>resources</web-resource-name>
      <description></description>
      <url-pattern>/Debug</url-pattern>
      <url-pattern>/Logout</url-pattern>
      <url-pattern>/Login</url-pattern>
      <url-pattern>*.js</url-pattern>
      <url-pattern>*.css</url-pattern>
      <url-pattern>*.png</url-pattern>
    </web-resource-collection>
  </security-constraint>
  <error-page>
    <error-code>403</error-code>
    <location>/WEB-INF/public/403.jsp</location>
  </error-page>
</web-app>

0 个答案:

没有答案