安全角色引用无法正常工作 [英] security-role-ref not working properly

问题描述

这些是我的web.xml的内容

these are the contents of my web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
     version="3.0" metadata-complete="true">
  <servlet>
    <security-role-ref>
      <role-name>MY_GROUP_NAME</role-name>
      <role-link>REGISTERED_USER</role-link>
    </security-role-ref>
  </servlet>
  <servlet>
    <servlet-name>action</servlet-name>
    <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
    <init-param>
      <param-name>config</param-name>
      <param-value>/WEB-INF/struts-config.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <resource-ref>
    <description>My datasource</description>
    <res-ref-name>jdbc/XXXXXXXX</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
  </resource-ref>
  <security-constraint>
    <display-name>Example Security Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <!-- Define the context-relative URL(s) to be protected -->
      <url-pattern>/protected/`*`</url-pattern>
      <!-- If you list http methods, only those methods are protected -->
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
      <!-- Anyone with one of the listed roles may access this area -->
      <role-name>tomcat</role-name>
      <role-name>role1</role-name>
      <role-name>REGISTERED_USER</role-name>
    </auth-constraint>
  </security-constraint>
  <!-- Default login configuration uses form-based authentication -->
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Example Form-Based Authentication Area</realm-name>
    <form-login-config>
      <form-login-page>/protected/login.jsp</form-login-page>
      <form-error-page>/protected/error.jsp</form-error-page>
    </form-login-config>
  </login-config>
  <!-- Security roles referenced by this web application -->
  <security-role>
    <role-name>role1</role-name>
  </security-role>
  <security-role>
    <role-name>tomcat</role-name>
  </security-role>
  <security-role>
    <role-name>REGISTERED_USER</role-name>
  </security-role>
</web-app>

当我使用ldap中的MY_GROUP_NAME组中的有效用户执行登录时，request.getRemoteUser()和request.getUserPrincipal()可以正常工作.针对MY_GROUP_NAME测试用户

when i perform login with a valid user which is in the group MY_GROUP_NAME in ldap then request.getRemoteUser() and request.getUserPrincipal() work ok. Testing the user against MY_GROUP_NAME

String role = request.getParameter("role"); 
request.isUserInRole(role);

工作正常.

问题是，根据角色Registration_USER测试用户时不起作用.有人看到我在这里想念的东西吗?

The problem is when testing the user against role REGISTERED_USER does not work. Does anyone see something that i am missing here?

一些其他信息

我使用Apache Tomcat v7.0.22

I use Apache Tomcat v7.0.22

LDAP是OpenDJ 2.4.5

LDAP is OpenDJ 2.4.5

windows 7操作系统

windows 7 OS

推荐答案

我没有使用过OpenDJ，但是根据

I've not experience with OpenDJ, but according to https://wikis.forgerock.org/confluence/display/OPENDJ/Configure+Apache+Tomcat+with+OpenDJ+as+an+Identity+Store there is not a "map" between tomcat roles and LDAP rules, as the mapping is one-to-one and the names should be the same. That's the LDAP groups you are going to use should be defined as Tomcat roles, and you should use their names on the security-role section of your web descriptor (web.xml).

这篇关于安全角色引用无法正常工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！