控制在EJB调用上传递的安全原则 [英] Controlling the security Principle passed on a EJB call
问题描述
我正在尝试以小步骤转向更标准的解决方案,因此我想开始控制传递给EJB的安全原则。我不会改变当前的登录或安全框架,所以我不相信我现在可以移动到JAAS。
一旦我有创建了一个java.security.Principle在哪里可以存储它,以便它被传递到我的ejb调用和available从context.getCallerPrincipal()?
谢谢。
Java EE安全性是一个全无或缺的事情。您应该使用Java EE身份验证机制来正确设置安全上下文。如您所见, 您可以通过注入获得的EJBContext 是只读的。
我知道改变安全上下文的唯一标准方法是使用像 @RunAs 请参阅示例),但它非常不灵活。您不能动态传递凭据。
有一些非便携式容器特定的机制,例如Glassfish具有 ProgrammaticLogin 。但即使在这种情况下,您需要传递用户名/密码,您不能随便更改 Principal 。
$ b $我记得阅读文章时,他们解释了如何使用容器的内部API手动设置安全上下文,但它当然不是便携式的,不支持。
I am working on a large existing EJB 1.1 application that current does its own sercurity and has no EJB managed security.
I am trying to move to a more standard solution in small steps, and so I want to start controlling the security Principle being passed to the EJB. I am not going to be able to change the current login or security framework, so I don't belive I can move to JAAS at the present time.
Once I have created a java.security.Principle where do I store it so it is passed in my ejb calles and avalable from context.getCallerPrincipal()?
Thanks.
Java EE security is a bit a all-or-nothing thing. You are supposed to use Java EE authentication mechanism to have the security context correctly set. As you can see, the EJBContext that you can obtain through injection is read-only.
The only standard way I'm aware of to change the security context, is using things like @RunAs (See an example), but it's very inflexible. You can not pass credential dynamically.
There are some non-portable container-specific mechanism, for instance Glassfish has ProgrammaticLogin. But even in this case, you need to pass the username/password, you can not just change the Principal on the fly.
I remember reading articles where they explained how to set the security context manually using internal API of the container, but it's of course non-portable and not supported.
这篇关于控制在EJB调用上传递的安全原则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
