jakarta-ee - 安全角色映射不适用于文件描述符

Question

将 glassfish 3.1.1 用于 Java EE6 项目中定义的安全角色映射 glassfish-web.xml对“用户-角色”映射没有影响。

调用request.isUserInRole("USER")以及 request.isUserInRole("ADMIN")总是返回 false .

glassfish-web.xml

<glassfish-web-app>
    <security-role-mapping>
        <role-name>ADMIN</role-name>
        <group-name>ADMIN</group-name>
    </security-role-mapping>
    <security-role-mapping>
        <role-name>USER</role-name>
        <group-name>USER</group-name>
    </security-role-mapping>
</glassfish-web-app>

注释 LoginBean.java与 @DeclareRoles如下所示，角色按预期分配。

登录Bean.java

...
@DeclareRoles({"ADMIN", "USERS"})
@Named(value = "loginBean")
@RequestScoped
public class LoginBean implements Serializable { ...

为什么我需要 @DeclareRoles在 LoginBean.java为了获得 request.isUserInRole 的有效“用户 - 角色”映射?

Answer 1

一个 similar question on Coderanch引用 Bean 代码中引用的 17.2.5.3 安全角色声明
的EJB 3.1 specification :

The Bean Provider is responsible for using the DeclareRoles annotation or the security-role-ref elements of the deployment descriptor to declare all the security role names used in the enterprise bean code. The DeclareRoles annotation is specified on a bean class, where it serves to declare roles that may be tested by calling isCallerInRole from within the methods of the annotated class. Declaring the security roles allows the Bean Provider, Application Assembler, or Deployer to link these security role names used in the code to the security roles defined for an assembled application.

[...]

If the DeclareRoles annotation is not used, the Bean Provider must use the security-role-ref elements of the deployment descriptor to declare the security roles referenced in the code.

(强调我的)

所以这只是对 Deployer 的一个简单提示，他们不必解释代码来获取使用的角色列表。如果开发人员调用 isUserInRole() 可能会非常困难。具有来自其他方法或非常复杂的逻辑的角色名称的方法。

这也可能有用(来自 17.3 Bean Provider 和/或 Application Assembler 的职责):

The main reason for providing the security view of the enterprise beans is to simplify the Deployer’s job. In the absence of a security view of an application, the Deployer needs detailed knowledge of the application in order to deploy the application securely. For example, the Deployer would have to know what each business method does to determine which users can call it. The security view defined by the Bean Provider or Application Assembler presents a more consolidated view to the Deployer, allowing the Deployer to be less familiar with the application.

(我看到问题是关于 Web 应用程序的，但我认为背后的原因是相同的，而且 servlet 规范不是那么详细。)

来自部署者的责任:安全角色的分配 (17.4.2):

The Deployer assigns principals and/or groups of principals (such as individual users or user groups) used for managing security in the operational environment to the security roles defined by means of the DeclareRoles and RolesAllowed metadata annotations and/or security-role elements of the deployment descriptor.

因此，根据规范 glassfish-web.xml由 Deployer(不是 Bean Provider 或 Application Assembler)创建，对于 Deployer 的工作，他需要来自“DeclareRoles 和 RolesAllowed 元数据注释和/或 security-role 部署描述符元素的角色名称。”