为Java EE 6中的调度程序提供安全特权 [英] Giving security priviliege to a scheduler in Java EE 6
问题描述
我正在Java EE 6中构建一个部署到JBoss AS 7.1的Web应用程序
I'm building a web application in Java EE 6 which is deployed to JBoss AS 7.1
我在bean级别使用安全性(使用 @RolesAllowed({useradmin,usernormal})
annotation)和前端级别(保护web.xml中的xthtm页面)。
I am using security at beans level (using @RolesAllowed({ "useradmin", "usernormal" })
annotation) and at the front end level (securing xthtm pages int the web.xml).
身份验证在JBoss中完成,使用其用户管理或LDAP(只是standalone.xml中的配置更改)。
The authentication is done in JBoss, using its user management or LDAP (just a config change in the standalone.xml).
整个安全框架是工作得很完美,如果胆敢说也好......
The whole security framework is working perfectly, even too well if dare say...
我也有一个调度程序使用Java EE TimerService
。它可以接受不同类型的作业,可以在以后安排(调度程序的原始功能......)。
I also have a scheduler using the Java EE TimerService
. It can accept different type of jobs, that can be scheduled later in time (original feature for a scheduler...).
我在调度程序需要时遇到问题运行使用某些业务逻辑bean的作业,这些作业逻辑bean使用 @RolesAllowed
注释进行保护。在这种情况下,安全框架完成其工作并拒绝访问调度程序。
I start having problems when the scheduler needs to run jobs that use some business logic beans, which are protected using the @RolesAllowed
annotation. In that case, the security framework does its job and denies access to the scheduler.
-
有没有办法以编程方式为包含调度程序的bean提供安全权限?
Is there a way to programmatically give security privilege to my bean containing the scheduler?
是否可以伪造调度程序的http会话?
Is it possible to fake an http session for the scheduler?
如果是这样的话,存储登录名/密码的最佳做法是什么?我想在静态变量中对它们进行硬编码是非常糟糕的...
If so, what are the best practices to store login/password? I imagine it would be quite bad to hardcode them in a static variable...
推荐答案
看起来你正在寻找像@RunAs这样的东西
查看本教程,看看它是否对你有帮助: http://docs.oracle.com/cd/E19226-01/820-7627/bnbyr/index.html
Looks like you are looking for something like @RunAs Check this tutorial and see if it helps you: http://docs.oracle.com/cd/E19226-01/820-7627/bnbyr/index.html
这篇关于为Java EE 6中的调度程序提供安全特权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!