WebLogic中跨两个域的EJB身份验证和授权

时间:2020-05-11 08:24:37

标签: java weblogic12c ejb-3.2

我们有一个weblogic设置,其中我们有两个weblogic服务器域,并希望两者之间通过EJB进行通信。只要没有安全设置,此方法就可以正常工作,但是在那一刻,我们添加了带有角色和组的安全注释,ejb不会进行通信。我们得到:

packages:
  foo:
    version: "1.2.0"
  bar:
    version: "6.0.0"

我们登录用户“ webuser”,并通过PrivilegedAction与该用户调用ejb,以便其他域知道该用户。我们通过为两个域设置相同的密码来启用两个域之间的信任,并启用“跨域安全性已启用”。我们有以下代码:

javax.ejb.EJBAccessException: [EJB:010160]Security violation: User webuser has insufficient permission to access EJB type=<ejb>, application=ejb_service, module=ejb_service.war, ejb=FibonacciService, method=getFibonacci, methodInterface=Remote, signature={dk.test.pojos.FibonacciServiceInput}.
at weblogic.ejb.container.internal.InvocationWrapper.checkMethodPermissionsBusiness(InvocationWrapper.java:421)
at weblogic.ejb.container.internal.BaseRemoteObject.preInvokeInternal(BaseRemoteObject.java:215)
at weblogic.ejb.container.internal.BaseRemoteObject.__WL_preInvoke(BaseRemoteObject.java:119)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invokeInternal(SessionRemoteMethodInvoker.java:42)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:21)
at dk.test.service.FibonacciService_y99w2m_RemoteFibonacciServiceInterfaceImpl.getFibonacci(Unknown Source)
at dk.test.service.FibonacciService_y99w2m_RemoteFibonacciServiceInterfaceImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:645)
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:246)
at weblogic.rmi.internal.BasicServerRef$2.run(BasicServerRef.java:534)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:386)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:163)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:531)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:138)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:655)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:420)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:360)

斐波那契服务看起来像这样。

    public String getFibonacci(String hostname, int port, int n) throws NamingException {

    Set<Principal> principals = Security.getCurrentSubject().getPrincipals();

    Subject user = User.login("webuser", "!234Test");

    Hashtable<String, String> env = new Hashtable<>(5);
    env.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory" );
    //Assuming weblogic server is running on localhost at port 7001
    env.put(Context.PROVIDER_URL, String.format("t3://%s:%d", hostname, port));
    env.put(Context.SECURITY_PRINCIPAL, "webuser");
    env.put(Context.SECURITY_CREDENTIALS, "!234Test");


    Context ic = new InitialContext(env);
    //obtain a reference to the home or local home interface
    FibonacciServiceInput fibonacciServiceInput = new FibonacciServiceInput(String.valueOf(n));

    FibonacciServiceOutput fibonacciServiceOutput = (FibonacciServiceOutput) Security.runAs(user, new EJBSendRequestAction(RemoteFibonacciServiceInterface.class.getSimpleName() + "#" + RemoteFibonacciServiceInterface.class.getName(),
            fibonacciServiceInput, ic));
    return fibonacciServiceOutput.getOutput();
}

private final class EJBSendRequestAction implements PrivilegedAction<Serializable> {
    String serviceKey;
    Serializable inputForService;
    Context ic;

    EJBSendRequestAction(String serviceKey, Serializable inputForService, Context ic) {
        this. serviceKey = serviceKey;
        this.inputForService = inputForService;
        this.ic = ic;
    }

    @Override
    public Serializable run() {
        RemoteFibonacciServiceInterface remoteFibonacciService = null;
        try {
            remoteFibonacciService = (RemoteFibonacciServiceInterface) ic.lookup(
                    RemoteFibonacciServiceInterface.class.getSimpleName() + "#" + RemoteFibonacciServiceInterface.class.getName());
        } catch (NamingException e) {
            throw new RuntimeException("User could not be logged in as " + "webuser"
                    + ", check if user is created in WEBLOGIC security realm", e);
        }
        FibonacciServiceOutput fibonacciServiceOutput = remoteFibonacciService.getFibonacci((FibonacciServiceInput)inputForService);
        return fibonacciServiceOutput;
    }
}

我们在weblogic控制台的安全领域中为webuser赋予了探针角色securityRole。 我们使用weblogic 12c和EJB 3.2。

任何人都可以帮助指出为什么该授权不适用于EJB的原因。

0 个答案:

没有答案
相关问题
最新问题