我已遵循this tutorial为用户ejbuser配置了密码12345678和角色appCitas。我遵循的说明是:
C:\ wildfly-14.0.1.Final \ bin> jboss-cli.bat
您目前已断开连接。键入“连接”以连接到服务器,或键入“帮助”以获取受支持的命令列表。
[已断开连接/]连接[standalone @ localhost:9990 /] /subsystem=elytron/filesystem-realm=proxyRealm:add(path=proxy-realm-users,relative-to=jboss.server.config.dir)
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = elytron / filesystem-realm = proxyRealm:add-identity(identity = ejbuser)
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = elytron / filesystem-realm = proxyRealm:set-password(identity = ejbuser,clear = {password = 12345678})
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = elytron / filesystem-realm = proxyRealm:add-identity-attribute(identity = ejbuser,name = Roles,value = [“ guest”,“ appCitas”])
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = elytron / simple-role-decoder = from-roles-attribute:add(attribute = Roles)
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = elytron / security-domain = proxySD:add(default-realm = proxyRealm,permission-mapper = default-permission-mapper,realms = [{realm = proxyRealm,role- coder = from-roles-attribute},{realm = local}])
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = elytron / sasl-authentication-factory = proxy-application-sasl-autentication:add(mechanism-configurations = [{mechanism-name = JBOSS-LOCAL-USER,realm- mapper = local},{机制名称= DIGEST-MD5,机制域配置== [{realm-name = proxyRealm}]}},{机制名称= BASIC,机制域配置== [{realm-name = proxyRealm}]}],sasl-server-factory =已配置,security-domain = proxySD)
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = ejb3 / application-security-domain = other:add(security-domain = proxySD)
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = remoting / http-connector = http-remoting-connector:write-attribute(名称= sasl-authentication-factory,值= proxy-application-sasl-autentication)
{ “结果” =>“成功”, “响应标题” => { “ operation-requires-reload” =>是, “进程状态” =>“需要重新加载” } }
在mi EJB中,我有
@WebService(
endpointInterface = "es.ssib.otic.test.prototipoEjbCitas.ApiCitasPublico",
name = "ApiCitasEjb")
@RolesAllowed("apiCitas")
@Stateless
public class ApiCitasPublicoImpl
implements ApiCitasPublico {
@Override
public @XmlElement(name = "pacienteCitaResponse", required = true) PacienteCitaResponse getPacienteCita(
@WebParam(name = "datosSolicitante") @XmlElement(required = true) IdPeticion idPaciente) {
...
}
我的jboss-app.xml是
<?xml version="1.0" encoding="UTF-8"?>
<jboss-app>
<security-domain>other</security-domain>
</jboss-app>
耳朵正确部署,并且没有显示任何日志问题,但是我尝试从SoapUI访问方法,并添加了基本身份验证,
在所有情况下,我都会得到一个
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>WFLYEJB0364: Invocation on method: public es.ssib.otic.test.prototipoEjbCitas.beans.PacienteCitaResponse es.ssib.otic.test.prototipoEjbCitas.impl.ApiCitasPublicoImpl.getPacienteCita(es.ssib.otic.test.prototipoEjbCitas.beans.IdPeticion) of bean: ApiCitasPublicoImpl is not allowed</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
如果删除安全配置,则可以毫无问题地通过SoapUI进行访问。
使用WildFly 14.0.0.1 Final。
注意:这个问题与my previous one有点相关,但是由于我已经重新安装了wildfly,并且已逐步按照上述教程进行操作,所以我认为最好将其作为单独的问题发布。< / p>
按照@fjuma的答案,我配置了以下内容:
[standalone @ localhost:9990 /] / subsystem = elytron / http-authentication-factory = proxy-application-http-authentication:add(http-server-mechanism-factory = global,security-domain = proxySD,mechanism-配置= [{机制名称= BASIC,机械领域-配置= [{领域名称= proxyAD}]}]))
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = undertow / application-security-domain = proxyAD:add(http-authentication-factory = proxy-application-http-authentication)
{“结果” =>“成功”}
并将security-domain中jboss-app.xml的值更改为proxyAD,部署耳朵时出现错误:
{
“ WFLYCTL0412:未安装的必需服务:” => [“ jboss.security.security-domain.proxyAD”],
“ WFLYCTL0180:缺少依赖项/不可用依赖项的服务” => [
“ jboss.deployment.subunit。\” prototipoEarCitas-0.0.1-SNAPSHOT.ear \“。\” prototipoEjbCitas-0.0.1-SNAPSHOT.jar \“。component.ApiCitasPublicoImpl.CREATE缺少[jboss.security.security-domain .proxyAD]“,
“ jboss.ws.endpoint。\” prototipoEarCitas-0.0.1-SNAPSHOT.ear \“。\” prototipoEjbCitas-0.0.1-SNAPSHOT.jar \“。ApiCitasPublicoImpl缺少[jboss.security.security-domain.proxyAD]”
]
}
答案 0 :(得分:1)
需要注意的几件事:
要使用HTTP基本认证,需要Elytron http-authentication-factory。 here中提供了有关如何配置此文件的文档。
使用HTTP基本身份验证时,还需要在Undertow子系统中添加application-security-domain映射。有关使用网络服务时与此相关的更多详细信息,请参见https://developer.jboss.org/thread/276445。
这是配置WS通过WS访问的最后最少命令集(在全新的Wildfly 14.0.1。Final上进行了测试):
C:\ wildfly-14.0.1.Final \ bin> jboss-cli.bat
您目前已断开连接。键入“连接”以连接到服务器或“ 帮助”以获取受支持的命令列表。
[已断开连接/]连接[standalone @ localhost:9990 /] /subsystem=elytron/properties-realm=proxyRealm:add(groups-attribute=groups,groups-properties={path=proxy-roles.properties,relative-to=jboss.server .config.dir},用户属性= {path = proxy-users.properties,相对于= jboss.server.config.dir,纯文本= true})
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = elytron / security-domain = proxySD:add(realms = [{{realm = proxyRealm,role-decoder = groups-to-roles}],default-realm = proxyRealm,权限映射器=默认权限映射器)
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = elytron / http-authentication-factory = proxy-http-auth:add(http-server-mechanism-factory = global,security-domain = proxySD,mechanism-configurations = [{mechanism-name = BASIC,mechanism-realm-configurations = [{{realm-name = proxyRealm}]}]]
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = undertow / application-security-domain = proxySD:add(http-authentication-factory = proxy-http-auth)
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = elytron / sasl-authentication-factory = proxy-app-sasl-auth:add(mechanism-configurations = [{mechanism-name = JBOSS-LOCAL-USER,realm- mapper = local},{机械名称= BASIC,机械领域配置== [{realm-name = proxyRealm}]}],sasl-server-factory =已配置,安全域= proxySD)
{“结果” =>“成功”}[standalone @ localhost:9990 /] / subsystem = ejb3 / application-security-domain = proxySD:add(security-domain = proxySD)
{“结果” =>“成功”}
注意:
您可能已经注意到,我从FileSystem领域切换到Properties领域。这与问题无关,只是它使调试更容易。
Elytron的安全域(在第3条命令中定义),Undertow的应用程序安全域(在第4条命令中定义)和EJB的application-security-domain(在第6条命令中定义)都具有相同的名称{{1 }}。在所有三个子系统中,名称相同是很重要的,如果名称不同(我尚未尝试所有组合),可能会发生不好的事情。
WS必须通过“先行身份验证”调用,在第一个请求中发送身份验证数据,而无需服务器提示。战争中基于POJO的WS使用Web身份验证系统,因此无需抢先身份验证。