REST服务中的Glassfish基本身份验证

时间:2011-08-15 09:49:23

标签: authentication rest java-ee glassfish-3 netbeans7.0

我正在尝试使用Glassfish jdbcRealm在Web Project中进行基本身份验证。

这是我的web.xml身份验证部分:

<security-constraint>
    <display-name>LoginTestContraint</display-name>
    <web-resource-collection>
        <web-resource-name>Login</web-resource-name>
        <description/>
        <url-pattern>/login/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>UsersRead</role-name>
        <role-name>UsersWrite</role-name>
        <role-name>UsersDelete</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>UsersConstraints</display-name>
    <web-resource-collection>
        <web-resource-name>FindAll</web-resource-name>
        <description/>
        <url-pattern>/resources/com.taxi.model.users/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>UsersRead</role-name>
        <role-name>UsersWrite</role-name>
        <role-name>UsersDelete</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>AccessConstraints</display-name>
    <web-resource-collection>
        <web-resource-name>/resources/com.taxi.model.access</web-resource-name>
        <description/>
        <url-pattern>/resources/com.taxi.model.access/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>AccessRead</role-name>
        <role-name>AccessWrite</role-name>
        <role-name>AccessDelete</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>taxiJDBCRealm</realm-name>
</login-config>
<security-role>
    <description/>
    <role-name>AccessRead</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>AccessWrite</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>AccessDelete</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>UsersRead</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>UsersWrite</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>UsersDelete</role-name>
</security-role>

这就是我在glassfish-web.xml中所拥有的:

<glassfish-web-app error-url="">
  <security-role-mapping>
    <role-name>AccessDelete</role-name>
    <group-name>AccessDelete</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>AccessRead</role-name>
    <group-name>AccessRead</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>AccessWrite</role-name>
    <group-name>AccessWrite</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>UsersDelete</role-name>
    <group-name>UsersDelete</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>UsersRead</role-name>
    <group-name>UsersRead</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>UsersWrite</role-name>
    <group-name>UsersWrite</group-name>
  </security-role-mapping>
  <class-loader delegate="true"/>
  <jsp-config>
    <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
  </jsp-config>
</glassfish-web-app>

我想验证REST服务用户,因此我遵循:

@Stateless
@Path("com.taxi.model.users")
public class UsersFacadeREST extends AbstractFacade<Users> {

    // ...

    @GET
    @Override
    @Produces({"application/xml", "application/json"})
    @RolesAllowed("UsersRead")
    public List<Users> findAll() {
        return super.findAll();
    }

    // ...

}

@Stateless
@Path("com.taxi.model.access")
public class AccessFacadeREST extends AbstractFacade<Access> {

    // ...

    @GET
    @Override
    @Produces({"application/xml", "application/json"})
    @RolesAllowed("AccessRead")
    public List<Access> findAll() {
        return super.findAll();
    }

    // ...

}

当我尝试打开http://localhost:8080/taxi/resources/com.taxi.model.access时,它会返回带有访问权限的XML。

所以,然后我尝试在浏览器中打开http://localhost:8080/taxi/resources/com.taxi.model.users它一切正常,但访问被拒绝。在postgresql日志文件中,我看到:

2011-08-15 13:32:14 SAMST LOG:  execute <unnamed>: SELECT glpasswd FROM vw_glusertable WHERE gluser = $1
2011-08-15 13:32:14 SAMST DETAIL:  parameters: $1 = 'nickla'
2011-08-15 13:32:14 SAMST LOG:  execute <unnamed>: SELECT glgroup FROM vw_glgrouptable WHERE gluser = $1 
2011-08-15 13:32:14 SAMST DETAIL:  parameters: $1 = 'nickla'

Glassfish错误日志:

FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = taxi/taxi
FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /resources/com.taxi.model.users GET)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : null
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
FINE: Logging in user [nickla] into realm: taxiJDBCRealm using JAAS module: jdbcRealm
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
FINEST: JDBC login succeeded for: nickla groups:[UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete]
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : nickla
FINE: Set security context as user: nickla
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : nickla, UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)

为什么Glassfish告诉我,具有角色UsersRead的用户没有com.taxi.model.users的资助?

P.S:

答案很简单 - 不要使用UsersRead UsersWrite UsersDelete单词作为角色名称。我不知道为什么,但是当我把它改成UsersRead11时,一切顺利。

0 个答案:

没有答案
相关问题
最新问题