JBOSS AS7 JAX-RS JAAS和註釋

Question

嘿，我希望有人能幫助嘗試了最後2天要弄清楚什麼我做錯了。 我想通過編程方式登錄到JAX-RS api並在我的端點上使用@RolesAlowed標註。

我登錄的很好，可以看到登錄端點中的主體集也我JSESSIONID。但是當我調用用@RolesAllowed（「USER」）註解的/ info/ping端點時，它會拋出UnauthenticatedException。如果我刪除了註釋，那麼req.getUserPrincipal（）通過cookie集合爲空事件。

任何幫助，將不勝感激。

我使用JBoss AS 7

設置如下：

Standalone.xml

<security-domain name="api" cache-type="default"> 
    <authentication> 
     <login-module code="Database" flag="required"> 
      <module-option name="dsJndiName" value="java:jboss/datasources/MysqlDS"/> 
      <module-option name="principalsQuery" value="select password from SiteUser where email=?"/> 
      <module-option name="rolesQuery" value="select role, 'Roles' from user_roles where email=?"/> 
      <module-option name="hashAlgorithm" value="MD5"/> 
      <module-option name="hashEncoding" value="base64"/> 
      <module-option name="unauthenticatedIdentity" value="GUEST"/> 
     </login-module> 
    </authentication> 
</security-domain> 

Web.xml中

<context-param> 
    <param-name>resteasy.role.based.security</param-name> 
    <param-value>true</param-value> 
</context-param> 
<filter> 
    <filter-name>Resteasy</filter-name> 
    <filter-class> 
     org.jboss.resteasy.plugins.server.servlet.FilterDispatcher 
    </filter-class> 
    <init-param> 
     <param-name>javax.ws.rs.Application</param-name> 
     <param-value>com.surecoin.api.rest.RootApplication</param-value> 
    </init-param> 
    <init-param> 
     <param-name>resteasy.scan</param-name> 
     <param-value>true</param-value> 
    </init-param> 
</filter> 
<security-constraint> 
    <web-resource-collection> 
     <web-resource-name>admin_resources</web-resource-name> 
     <url-pattern>/*</url-pattern> 
     <http-method>GET</http-method> 
     <http-method>POST</http-method> 
     <http-method>PUT</http-method> 
     <http-method>DELETE</http-method> 
    </web-resource-collection> 
    <user-data-constraint> 
     <transport-guarantee>NONE</transport-guarantee> 
    </user-data-constraint> 
</security-constraint> 
<!-- Login Prompt --> 
<login-config> 
    <auth-method>FORM</auth-method> 
    <form-login-config> 
     <form-login-page>/login/login.xhtml</form-login-page> 
     <form-error-page>/error.xhtml</form-error-page> 
    </form-login-config>  
</login-config> 
<security-role> 
    <description>Users</description> 
    <role-name>USER</role-name> 
</security-role> 
<security-role> 
    <role-name>guest</role-name> 
</security-role> 
<security-role> 
    <description>Admin</description> 
    <role-name>ADMIN</role-name> 
</security-role> 
<security-role> 
    <role-name>GUEST</role-name> 
</security-role> 

的jboss-web.xml中

<jboss-web> 
    <security-domain>api</security-domain> 
</jboss-web> 

和登錄代碼：

@POST 
@Path("login") 
@Produces(MediaType.APPLICATION_JSON) 
public Response login(@FormParam("email") String email, @FormParam("password") String password, 
     @Context HttpServletRequest req) { 
    String username = email; 
    //only login if not already logged in... 
    if(req.getUserPrincipal() == null) { 
     try { 
      req.login(username, password); 
      System.out.println(req.getUserPrincipal().toString()); 
     } 
     catch(ServletException e){ 
      e.printStackTrace(); 
      return Response.status(Response.Status.UNAUTHORIZED).build(); 
     } 

    } else { 
     System.out.println(req.getUserPrincipal().toString()); 
     req.getServletContext().log("Skip logged because already logged in: "+ username); 
    } 

    req.getServletContext().log("Authentication Demo: successfully retrieved User Profile from DB for " + username); 
    return Response.ok().build(); 
} 


Finally the security check: 
@Path("/info/ping") 
@Produces(MediaType.APPLICATION_JSON) 
@RolesAllowed("USER") 
@GET 
public String ping(@Context HttpServletRequest req){ 
    System.out.println(req.getUserPrincipal()); 
    System.out.println(req.isUserInRole("USER")); 
    return "{\"status\":\"ok\"}"; 
} 

Answer 1

主要的Servlet中的3.0會話範圍。確保第二個請求被映射/使用相同的會話（使用JSESSIONID）。