Базовая аутентификация Glassfish в сервисах REST - PullRequest
Новая
       69

Базовая аутентификация Glassfish в сервисах REST

1 голос
/ 15 августа 2011

Я пытаюсь выполнить базовую аутентификацию в веб-проекте с использованием Glassfish jdbcRealm.

Это моя часть аутентификации web.xml: 

<security-constraint>
    <display-name>LoginTestContraint</display-name>
    <web-resource-collection>
        <web-resource-name>Login</web-resource-name>
        <description/>
        <url-pattern>/login/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>UsersRead</role-name>
        <role-name>UsersWrite</role-name>
        <role-name>UsersDelete</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>UsersConstraints</display-name>
    <web-resource-collection>
        <web-resource-name>FindAll</web-resource-name>
        <description/>
        <url-pattern>/resources/com.taxi.model.users/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>UsersRead</role-name>
        <role-name>UsersWrite</role-name>
        <role-name>UsersDelete</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>AccessConstraints</display-name>
    <web-resource-collection>
        <web-resource-name>/resources/com.taxi.model.access</web-resource-name>
        <description/>
        <url-pattern>/resources/com.taxi.model.access/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>AccessRead</role-name>
        <role-name>AccessWrite</role-name>
        <role-name>AccessDelete</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>taxiJDBCRealm</realm-name>
</login-config>
<security-role>
    <description/>
    <role-name>AccessRead</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>AccessWrite</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>AccessDelete</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>UsersRead</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>UsersWrite</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>UsersDelete</role-name>
</security-role>

И это то, что у меня есть в glassfish-web.xml: 

<glassfish-web-app error-url="">
  <security-role-mapping>
    <role-name>AccessDelete</role-name>
    <group-name>AccessDelete</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>AccessRead</role-name>
    <group-name>AccessRead</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>AccessWrite</role-name>
    <group-name>AccessWrite</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>UsersDelete</role-name>
    <group-name>UsersDelete</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>UsersRead</role-name>
    <group-name>UsersRead</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>UsersWrite</role-name>
    <group-name>UsersWrite</group-name>
  </security-role-mapping>
  <class-loader delegate="true"/>
  <jsp-config>
    <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
  </jsp-config>
</glassfish-web-app>

Я хочу пройти аутентификациюПользователи службы REST, поэтому я делаю следующее: 

@Stateless
@Path("com.taxi.model.users")
public class UsersFacadeREST extends AbstractFacade<Users> {

    // ...

    @GET
    @Override
    @Produces({"application/xml", "application/json"})
    @RolesAllowed("UsersRead")
    public List<Users> findAll() {
        return super.findAll();
    }

    // ...

}

@Stateless
@Path("com.taxi.model.access")
public class AccessFacadeREST extends AbstractFacade<Access> {

    // ...

    @GET
    @Override
    @Produces({"application/xml", "application/json"})
    @RolesAllowed("AccessRead")
    public List<Access> findAll() {
        return super.findAll();
    }

    // ...

}

Когда я пытаюсь открыть http://localhost:8080/taxi/resources/com.taxi.model.access, он возвращает мне XML с доступом.

Итак, я пытаюсь открыть http://localhost:8080/taxi/resources/com.taxi.model.users в браузере все работает, но доступ запрещен.В файле журнала postgresql я вижу: 

2011-08-15 13:32:14 SAMST LOG:  execute <unnamed>: SELECT glpasswd FROM vw_glusertable WHERE gluser = $1
2011-08-15 13:32:14 SAMST DETAIL:  parameters: $1 = 'nickla'
2011-08-15 13:32:14 SAMST LOG:  execute <unnamed>: SELECT glgroup FROM vw_glgrouptable WHERE gluser = $1 
2011-08-15 13:32:14 SAMST DETAIL:  parameters: $1 = 'nickla'

Журнал ошибок Glassfish: 

FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = taxi/taxi
FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission /resources/com.taxi.model.users GET)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : null
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
FINE: Logging in user [nickla] into realm: taxiJDBCRealm using JAAS module: jdbcRealm
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
FINEST: JDBC login succeeded for: nickla groups:[UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete]
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : nickla
FINE: Set security context as user: nickla
FINE: [Web-Security] Policy Context ID was: taxi/taxi
FINE: [Web-Security] Codesource with Web URL: file:/taxi/taxi
FINE: [Web-Security] Checking Web Permission with Principals : nickla, UsersRead, AccessRead, AccessWrite, UsersWrite, UsersDelete, AccessDelete
FINE: [Web-Security] Web Permission = (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)
FINEST: JACC Policy Provider: PolicyWrapper.implies, context (taxi/taxi)- result was(false) permission ((javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET))
FINE: [Web-Security] hasResource isGranted: false
FINE: [Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /resources/com.taxi.model.users GET)

Почему Glassfish сказал мне, что у моего пользователя с ролью UsersRead нет прав на com.taxi.model.пользователи?

PS:

Ответ прост - не используйте UsersRead UsersWrite UsersDelete слова в качестве имен ролей.Я не знаю почему, но когда я изменил его на UsersRead11, все пошло нормально.

...