使用来自JAX-RS Web服务的安全EJB [英] Using a secured EJB from a JAX-RS web service

问题描述

我正在运行Glassfish 4和Jersey作为JAX-RS实现。我已经像这样保护了我的EJB：

I'm running Glassfish 4 and Jersey as JAX-RS implementation. I have secured my EJB like this:

@Stateless
@DeclareRoles({"Authentication_Reader"})
@RolesAllowed({"Authentication_Reader"})
public class AuthenticationServiceBean { 
   public void foo() {
      ... 
   }

}

我在glassfish-web中创建了一个安全角色映射条目。 xml，我还在web.xml中创建了一个安全角色声明。

I have created a security-role-mapping entry in glassfish-web.xml, and I've also created a security-role declaration in web.xml.

以下是servlet的工作原理：

The following works from a servlet:

@WebServlet(name = "TestServlet", urlPatterns = {"/test.do"})
@RunAs("Authentication_Reader")
public class TestServlet extends HttpServlet {

    @Inject
    private AuthenticationServiceBean authenticationService;

    public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
       authenticationService.foo();
        .. etc ...
    }
}

但是如果我从JAX-RS资源中执行此操作，例如：

But if I do it from a JAX-RS resource, such as this one:

@RequestScoped
@RunAs("Authentication_Reader")
@Path("test")
public class TestResource {
    @Inject
    private AuthenticationServiceBean authenticationServiceBean;

    @GET
    public String test() {
        int x = 123;  // This code executes fine
        authenticationServiceBean.foo();   // This gets an AccessLocalException
        return "I never returned this";
    }
}

Glassfish服务器日志基本上说：javax.ejb。 AccessLocalException：未授权此调用的客户端

The Glassfish server log basically says: javax.ejb.AccessLocalException: Client not authorized for this invocation

我不明白为什么这适用于servlet，而不适用于REST资源。对我来说，这似乎应该可以正常工作。

I don't understand why this works for a servlet, and not for the REST resource. To me, this seems like it should work just fine.

推荐答案

如果你改变 TestResource 是EJB，如果使用 @EJB 注入 AuthenticationServiceBean ，它应该可以工作。

If you change TestResource to be EJB and if you inject AuthenticationServiceBean using @EJB it should work.

您可以查看 jersey-ejb 例子。还有 jersey-gf-ejb 集成模块，用于在Glassfish AS上使用EJB。具体是 Jersey ，JAX-RS不支持将EJB注入到Resource类中。

You can look at jersey-ejb example. And there is also jersey-gf-ejb integration module to be used to use EJBs on Glassfish AS. This is Jersey specific, JAX-RS does not support to inject EJB into Resource class yet.

这篇关于使用来自JAX-RS Web服务的安全EJB的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！