如何从纯客户端调用远程EJB（基于IIOP的RMI）时传播JAAS主题 [英] How to propagate JAAS Subject when calling a remote EJB (RMI over IIOP) from a pure client

问题描述

我正在测试 JAAS主题的传播使用自定义校长在原始Java运行时上运行到JavaEE服务器的独立EJB客户端。我的目标是JBoss和WebSphere实现。

I am testing the propagation of JAAS Subject with a custom Principal from a standalone EJB client running on a raw Java runtime to a JavaEE server. I am targeting both JBoss and WebSphere implementations.

根据这个论坛帖子我预计它可以轻松地与JBoss一起使用。

According to this forum thread I have expected it would work with JBoss easily.

这是我的EJB客户端代码代码片段：

Here is my EJB client code code snippet:

Subject subject = new Subject();
Principal myPrincipal = new MyPrincipal("me I myself");
subject.getPrincipals().add(myPrincipal);

PrivilegedExceptionAction<String> action = new PrivilegedExceptionAction<String>() {
    public String run() throws Exception {
            String result;
            System.out.println("Current Subject: " + Subject.getSubject(AccessController.getContext()));
            InitialContext ic = new InitialContext();
            Business1 b = (Business1) ic.lookup("StatelessBusiness1");
            result = b.getNewMessage("Hello World");
            return result;
        }
    };

result = subject.doAs(subject, action);
System.out.println("result "+result);

服务器端代码是：

public String getNewMessage(String msg) {
    System.out.println("getNewMessage principal: " + sessionContext.getCallerPrincipal());
    System.out.println("Current Subject: " + Subject.getSubject(AccessController.getContext()));
    return "getNewMessage: " + msg;
}

可以肯定的是，即使这是默认行为，我也添加了这个部分到我的 ejb-jar.xml 会话bean：

To be sure, even if it is the default behaviour, I have added this section to my ejb-jar.xml session bean:

<security-identity>
   <use-caller-identity/>
</security-identity>

我的会话bean不受任何角色的保护。

My session bean is not protected by any role.

根据此IBM WebSphere信息中心部分，我还启用了系统属性 com.ibm.CSI.rmiOutboundPropagationEnabled = true 。

According to this IBM WebSphere infocenter section, I have also enabled the system property com.ibm.CSI.rmiOutboundPropagationEnabled=true.

从技术上讲，服务调用在JBoss或WebSphere上都能正常工作。但是包含我在客户端上创建的自定义主体的JAAS主题不会传播到服务器。或者，在创建JNDI上下文和EJB调用之前， Subject 转储。

Technically speaking the service call works properly either on JBoss or WebSphere. But the JAAS Subject including my custom principal created on the client is not propagated to the server. Or course, the Subject dumped just before JNDI context creation and EJB call is OK.

我运行相同的Java服务器和客户端的运行时版本（IBM Java6 SR9 FP2 ...）， MyPrincipal 可序列化类在服务器ClassPath中可用（ AppServer / lib / ext 用于WebSphere， server / default / lib 用于JBoss）

I run the same Java runtime version for server and client (IBM Java6 SR9 FP2...), MyPrincipal serializable class is available in server ClassPath (AppServer/lib/ext for WebSphere, server/default/lib for JBoss)

WebSphere转储：

WebSphere dumps:

[8/31/12 11:56:26:514 CEST] 00000024 SystemOut     O getNewMessage principal: UNAUTHENTICATED
[8/31/12 11:56:26:515 CEST] 00000024 SystemOut     O Current Subject: null

JBoss转储：

 12:30:20,540 INFO  [STDOUT] getNewMessage principal: anonymous
 12:30:20,540 INFO  [STDOUT] Current Subject: null

当然，我错过了某种魔法咒语。你知道哪一个吗？

For sure, I have missed some kind of magic spell. Do you know which one ?

推荐答案

我怀疑你没有在WAS服务器上启用安全性。由于未启用安全性且您未对WAS进行身份验证，因此没有凭据。因此，您对 getCallerPrincipal 的调用将返回UNAUTHENTICATED。

I suspect you don't have security enabled on the WAS server. Because security is not enabled and you didn't authenticate to WAS, there is no credential. Thus your call to getCallerPrincipal is returning UNAUTHENTICATED.

如果您在WAS中打开应用程序安全性，您将拥有通过 CSIv2协议。在独立客户端中创建自己的JAAS主题将不会这样做。如果可以，那么任何人都可以创建一个嘿，它是我的凭证并登录到他们想要的任何远程EJB。

If you turn on application security in WAS, you'll have to authenticate via the CSIv2 protocol. Creating your own JAAS subject in a standalone client will not do it. If it could, then anyone could create a "hey, it's me" credential and login to any remote EJB they wanted.

您的代码将通过附加您的代码在服务器上运行受执行线程的影响。通过线路流动的主体/凭证需要协议来实现主题信息的序列化并确保在凭证中声明身份的一方的信任。从独立客户端，WAS以基本授权，LTPA和kerberos的形式接受用户信息。这可以在管理控制台中的入站CSIv2配置上配置。它在我之前引用的信息中心链接中有记录。

Your code will work on the server by attaching your subject to the running thread of execution. Flowing subjects/credentials across the wire requires a protocol to effect the serialization of the subject info and ensure trust of the party asserting the identity in the credential. From a standalone client, WAS accepts user info in the form of basic authorization, LTPA, and kerberos. This can be configured on an inbound CSIv2 configuration within the admin console. It's documented in the Info Center link I referenced earlier.

这很有趣。祝你好运。

这篇关于如何从纯客户端调用远程EJB（基于IIOP的RMI）时传播JAAS主题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！