我有以下 servlet。
@DeclareRoles("remote-guest")
@RunAs("remote-guest")
public class GuestServlet extends HttpServlet {
@EJB
private Test test;
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
test.guest();
}
}
servlet 被映射为只有角色为
guest
的用户可以调用它。<servlet>
<servlet-name>guest-servlet</servlet-name>
<servlet-class>test.web.GuestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>guest-servlet</servlet-name>
<url-pattern>/guest</url-pattern>
</servlet-mapping>
<security-role>
<role-name>guest</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>guest-resources</web-resource-name>
<url-pattern>/guest</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>guest</role-name>
</auth-constraint>
</security-constraint>
Test
EJB 由以下 TestBean
实现类(class)。@Stateless
@DeclareRoles("remote-guest")
public class TestBean implements Test {
@RolesAllowed("remote-guest")
public void guest() {
System.out.println("TestBean.guest()");
}
}
问题:当我调用
GuestServlet
使用仅映射到 guest
的用户角色,EJB 抛出 javax.ejb.EJBAccessException
尽管存在 @RunAs
servlet 上的注释。我是否也应该将用户映射到 remote-guest
角色?如果用户必须同时映射到 guest
和 remote-guest
,@RunAs
的真正目的是什么? ?
最佳答案
是的,需要将用户映射到角色。尽管它可能是与具有“ guest ”角色的用户不同的用户。如 EJB 3.1 规范 17.3.4.1 中所述:
Because the Bean Provider and Application Assembler do not, in general, know the security environment of the operational environment, the run-as identity is designated by a logical role-name, which corresponds to one of the security roles defined by the Bean Provider or Application Assembler in the metadata annotations or deployment descriptor.
The Deployer then assigns a security principal defined in the operational environment to be used as the principal for the run-as identity. The security principal assigned by the Deployer should be a principal that has been assigned to the security role specified by RunAs annotation or by the role-name element of the run-as deployment descriptor element.
和 oracle jee6 教程:
http://docs.oracle.com/cd/E19226-01/820-7627/bnbyr/index.html
@RunAs 的作用是允许具有不同角色和用户集的 2 个容器之间进行通信(如上面的链接中所示),或者为没有安全上下文的组件提供安全身份:例如消息驱动 Bean 需要调用另一个要求调用者具有某些角色的 bean。
关于authentication - 在 servlet 和 EJB 之间使用 @RunAs,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9096867/