将 glassfish 3.1.1 用于 Java EE6 项目中定义的安全角色映射 glassfish-web.xml
对“用户-角色”映射没有影响。
调用request.isUserInRole("USER")
以及 request.isUserInRole("ADMIN")
总是返回 false
.
glassfish-web.xml
<glassfish-web-app>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>ADMIN</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>USER</role-name>
<group-name>USER</group-name>
</security-role-mapping>
</glassfish-web-app>
注释
LoginBean.java
与 @DeclareRoles
如下所示,角色按预期分配。登录Bean.java
...
@DeclareRoles({"ADMIN", "USERS"})
@Named(value = "loginBean")
@RequestScoped
public class LoginBean implements Serializable { ...
为什么我需要
@DeclareRoles
在 LoginBean.java
为了获得 request.isUserInRole
的有效“用户 - 角色”映射?
最佳答案
一个 similar question on Coderanch引用 Bean 代码中引用的 17.2.5.3 安全角色声明
的EJB 3.1 specification :
The Bean Provider is responsible for using the DeclareRoles annotation or the
security-role-ref
elements of the deployment descriptor to declare all the security role names used in the enterprise bean code. TheDeclareRoles
annotation is specified on a bean class, where it serves to declare roles that may be tested by callingisCallerInRole
from within the methods of the annotated class. Declaring the security roles allows the Bean Provider, Application Assembler, or Deployer to link these security role names used in the code to the security roles defined for an assembled application.[...]
If the
DeclareRoles
annotation is not used, the Bean Provider must use thesecurity-role-ref
elements of the deployment descriptor to declare the security roles referenced in the code.
(强调我的)
所以这只是对 Deployer 的一个简单提示,他们不必解释代码来获取使用的角色列表。如果开发人员调用
isUserInRole()
可能会非常困难。具有来自其他方法或非常复杂的逻辑的角色名称的方法。这也可能有用(来自 17.3 Bean Provider 和/或 Application Assembler 的职责):
The main reason for providing the security view of the enterprise beans is to simplify the Deployer’s job. In the absence of a security view of an application, the Deployer needs detailed knowledge of the application in order to deploy the application securely. For example, the Deployer would have to know what each business method does to determine which users can call it. The security view defined by the Bean Provider or Application Assembler presents a more consolidated view to the Deployer, allowing the Deployer to be less familiar with the application.
(我看到问题是关于 Web 应用程序的,但我认为背后的原因是相同的,而且 servlet 规范不是那么详细。)
来自部署者的责任:安全角色的分配 (17.4.2):
The Deployer assigns principals and/or groups of principals (such as individual users or user groups) used for managing security in the operational environment to the security roles defined by means of the
DeclareRoles
andRolesAllowed
metadata annotations and/orsecurity-role
elements of the deployment descriptor.
因此,根据规范
glassfish-web.xml
由 Deployer(不是 Bean Provider 或 Application Assembler)创建,对于 Deployer 的工作,他需要来自“DeclareRoles
和 RolesAllowed
元数据注释和/或 security-role
部署描述符元素的角色名称。”
关于jakarta-ee - 安全角色映射不适用于文件描述符,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/7597849/