3
我有一個簡單的EE5應用程序,其中包含Web客戶端和運行glassfish 2的ejb模塊。 ejbs中的安全註釋被忽略,但不是那些在課堂上。Java EE 5安全註解在glassfish v2中的方法中被忽略
,比如我有以下豆:
@Stateful(mappedName = "ejb/PurchaseOrderDao")
@DeclareRoles("employees")
@RolesAllowed(value = { "employees" })
public class PurchaseOrderDao implements PurchaseOrderDaoLocal {
@Resource
private EJBContext ejbContext;
@DenyAll
public final void add(final PurchaseOrder instance) {
log.debug("Is User in Role employees: {}", ejbContext.isCallerInRole("employees"));
delegate.add(instance);
}
[...]
}
每個用戶都可以調用此方法。調試語句返回正確的值。在web.xml中定義的Web客戶端上的網絡資源
的安全約束是否按預期工作,但在mwthods註釋不是那些定義。
在我的application.xml我定義的境界和角色。我將它們映射到sun-application.xml中。
可能是什麼原因?這是glassfish v2的已知問題嗎?它在glassfish v3中正常工作。
其他資源:
太陽ejb-jar.xml中
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd">
<sun-ejb-jar>
<enterprise-beans>
</enterprise-beans>
</sun-ejb-jar>
ejb-jar.xml中
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:ejb="http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
version="3.0">
<display-name>ejb</display-name>
</ejb-jar>
的application.xml
<?xml version="1.0" encoding="UTF-8"?>
<application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:application="http://java.sun.com/xml/ns/javaee/application_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_5.xsd"
id="ocea" version="5">
<display-name>ocea</display-name>
<module>
<ejb>ejb.jar</ejb>
</module>
<module>
<web>
<web-uri>web.war</web-uri>
<context-root>ocea</context-root>
</web>
</module>
<security-role>
<description>Employees</description>
<role-name>employees</role-name>
</security-role>
<security-role>
<description>Suppliers</description>
<role-name>suppliers</role-name>
</security-role>
<library-directory>/lib</library-directory>
</application>
太陽的application.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-application PUBLIC '-//Sun Microsystems, Inc.//DTD Application Server 9.0 Java EE Application 5.0//EN' 'http://www.sun.com/software/appserver/dtds/sun-application_5_0-0.dtd'>
<sun-application>
<security-role-mapping>
<role-name>employees</role-name>
<group-name>employees</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>suppliers</role-name>
<group-name>suppliers</group-name>
</security-role-mapping>
</sun-application>
的web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>web</display-name>
<!-- [...] -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/loginfailed</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>PublicContent</web-resource-name>
<description>Publically available Content needs no authorization.</description>
<url-pattern>/static/*</url-pattern>
<url-pattern>/logout</url-pattern>
<url-pattern>/loggedout</url-pattern>
<url-pattern>/decorator</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Add Requests</web-resource-name>
<description>accessible by employees</description>
<url-pattern>/requestadd</url-pattern>
<url-pattern>/requestaddreal</url-pattern>
<url-pattern>/orderadd</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>employees</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Add Bids</web-resource-name>
<description>accessible by suppliers</description>
<url-pattern>/bidadd</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>suppliers</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Webapplication</web-resource-name>
<description>accessible by authorized users</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>For Employees and Suppliers</description>
<role-name>employees</role-name>
<role-name>suppliers</role-name>
</auth-constraint>
</security-constraint>
<!-- [...] -->
<ejb-local-ref>
<ejb-ref-name>ejb/Dao</ejb-ref-name>
<local>ejb.dao.DaoLocal</local>
</ejb-local-ref>
<!-- [... other ejb-local-ref ...] -->
</web-app>
你是說在類級別的註解是_not_忽略但你也說,「每個用戶都可以調用這個方法。」如果類級別的註釋工作正常,並在'add'的一個沒有,只有「員工」(不_every_用戶)應被允許調用'add'? –
在這個例子中,這是正確的。但我還有另一個例子,我沒有在類級別定義RolesAllowed,而是在方法級別上,然後確實允許每個用戶。 – Christian