我試圖建立一個基於glassfish 3.1 + JSF2的Web應用程序。授權使用CAS服務器在Web應用程序安裝jasig CAS客戶端作爲建議在這裏進行:用於glassfish 3.1網絡應用的CAS認證。關於授權呢?
Configuring the JA-SIG CAS Client for Java in the web.xml
,我能趕上的主要對象在EJB內,當用戶進行身份驗證。 CAS主要屬性來自Active Directory上的LDAP。現在我該如何添加授權? 如何才能將特定網頁的訪問權限僅限於AD中定義的特定用戶組?
目的只是讓用戶根據其LDAP角色訪問不同的網頁。 我試圖遵循保護從Java EE教程Web應用程序和我的web.xml是
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://casserver:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://casserver:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<!--
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
-->
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Production</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Pagina di user</display-name>
<web-resource-collection>
<web-resource-name>index1</web-resource-name>
<description>ristretto a user</description>
<url-pattern>/faces/index.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>user only</description>
<role-name>AMP-User</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Pagina di profile</display-name>
<web-resource-collection>
<web-resource-name>index2</web-resource-name>
<description>risretto a profile</description>
<url-pattern>/faces/index_2.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>profile only</description>
<role-name>AMP-Profile</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>utente generico</description>
<role-name>AMP-User</role-name>
</security-role>
<security-role>
<description>Utente di alto profilo</description>
<role-name>AMP-Profile</role-name>
</security-role>
那麼我指定的角色到我的LDAP組glassifh-web.xml中
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>AMP-Profile</role-name>
<group-name>AMP-Profile</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>AMP-User</role-name>
<group-name>AMP-User</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
問題是,當我訪問頁面index.xhtml時,表單要求我進行身份驗證,但身份驗證應該由CAS服務器完成。無論如何,我無法驗證。 如何使用CAS認證並將LDAP組映射到角色?
那麼你想使用glassfish進行身份驗證或授權嗎?還是CAS服務器(通過這些過濾器元素)應該阻止未經身份驗證的請求?您確實要求glassfish服務器通過指定它們的安全約束來限制對這些索引頁的訪問。由於您沒有提供身份驗證方法,我想它默認爲基本身份驗證。也許你可以刪除這些限制,讓CAS服務器完成它的工作。 – TPete 2012-03-27 10:32:59
CAS應阻止未經身份驗證的請求。此外,CAS或Glassfish應該阻止已認證的請求,但不允許使用角色。那可能嗎?我刪除了約束,但沒有執行授權,因此任何LDAP組都可以在驗證後訪問。 – maxqua72 2012-03-27 11:25:31
因此,在刪除安全性約束時,使用CAS服務器的身份驗證已經可以工作? – TPete 2012-03-27 18:38:10