Wildfly，JAAS和SecurityContext [英] Wildfly, JAAS and SecurityContext

问题描述

我仍在玩Wildfly-9.0.1.Final和JAAS(请参阅我以前的问题BASIC auth-method的Web应用程序中的> Wildfly和JAAS登录模块).当我的自定义登录模块正常工作时，我遇到了一些有关授权的问题.我使用带有注释的RESTeasy RESTFul Web服务进行测试，这是代码:

I'm still playin with Wildfly-9.0.1.Final and JAAS (see my previous question Wildfly and JAAS login module) in a web application that use a BASIC auth-method. While my custom login module works I got some problems about authorization. I use a RESTeasy RESTFul web service with annotation to test, here is the code:

package it.bytebear.web.mongo;

import it.bytebear.web.mongo.jaas.MongoModuleCallbackHandler;
import it.bytebear.web.mongo.model.User;

import java.security.Principal;
import java.util.ArrayList;
import java.util.List;

import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Stateless;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Request;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import javax.ws.rs.core.SecurityContext;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Path("/service")
Stateless
ublic class UserServices {

    private Logger log = LoggerFactory.getLogger(UserServices.class);

    @GET
    @Path("/userA")
    @RolesAllowed({ "userA" })
    public Response postUserA() {
        return Response.ok("You're user A.", MediaType.TEXT_HTML).build();
    }

    @GET
    @Path("/userB")
    @RolesAllowed({ "userB" })
    public Response postUserB() {
        return Response.ok("You're user B.", MediaType.TEXT_HTML).build();
    }

    @GET
    @Path("/userC")
    @RolesAllowed({ "userC" })
    public Response postUserC() {
        return Response.ok("You're user C.", MediaType.TEXT_HTML).build();
    }

    @POST
    @Path("/login")
    @PermitAll
    @Consumes(MediaType.APPLICATION_JSON)
    // @Consumes("application/x-authc-username-password+json")
    public Response login(User userCredentials) {
        log.info("logging in.");
        try {
            MongoModuleCallbackHandler handler = new MongoModuleCallbackHandler();
            handler.setUsername(userCredentials.getUserName());
            handler.setPassword(userCredentials.getPassword().toCharArray());
            LoginContext loginContext = new LoginContext("MongoLoginRealm", handler);
            loginContext.login();
            Subject subject = loginContext.getSubject();
            List<String> roles = new ArrayList<String>();
            for (Principal p : subject.getPrincipals()) {
                roles.add(p.getName());
            }
            String[] userCredentialsRoles = new String[roles.size()];
            roles.toArray(userCredentialsRoles);
            userCredentials.setRoles(userCredentialsRoles);
            return Response.ok().entity(userCredentials)
                    .type(MediaType.APPLICATION_JSON_TYPE).build();
        } catch (Exception e) {
            log.error("login fails.", e);
            return Response.status(Status.FORBIDDEN).entity("Not logged")
                    .type(MediaType.APPLICATION_JSON_TYPE).build();
        }
    }

    @GET
    @Path("/logout")
    @PermitAll
    public Response logout(Request req) {
        return Response.ok().build();
    }

    @POST
    @Path("/test")
    @PermitAll
    public Response test(@Context SecurityContext ctx) {
        Principal p = ctx.getUserPrincipal();
        return Response.status(Status.OK).entity(p).build();
    }
}

我的登录模块被正确调用并生成一个名为Group的Group的子对象，其中包含名为userA的Principal，但是当我尝试访问.../service/userA时，总是会出现一个403错误.我使用test方法检查subject，但ctx.getUserPrincipal()始终返回null.我想念LoginModule和SecurityContext的工作方式，SecurityContext如何知道一个主题?更重要的是:我想了解更多，链接到资源和文档将不胜感激.

My login module is correctly invoked and generate a subjec with a Group named Roles containing a Principal named userA, but when I try to access .../service/userA I always get a 403 error. I use test method to check subject but ctx.getUserPrincipal() always return null. I miss how LoginModule and SecurityContext works, how SecurityContext knows about a Subject? More important: I'd like to learn more, link to resources and docs will be appreciated.

更新: 在我的web.xml中，我正在使用RESTEasy安全性:

UPDATE: In my web.xml I'm using RESTEasy security:

...
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
...

我是否将RESTEasy安全性与EJB安全性搞混了?

Am I messing up EJB security with RESTEasy security?

推荐答案

不要实施，配置

我建议避免以编程方式进行所有JAAS处理.只需使用应用程序服务器配置，安全子系统将为您处理所有关联.

Don't implement, configure

I suggest to avoid doing all the JAAS handling programmatically. Just use the application server configuration and security subsystem will take care of all the associations for you.

RestEasy实现基于角色的安全性.必须在web.xml中的应用程序的上下文参数"resteasy.role.based.security"中启用它.

RestEasy implements Role-based security. It has to be enabled in application's context parameter "resteasy.role.based.security" in web.xml.

<context-param>
    <param-name>resteasy.role.based.security</param-name>
    <param-value>true</param-value>
</context-param>

如果不使用此参数，则只有安全性约束(在web.xml中)可用于授权配置.

If you don't use this parameter, then only the security constraints (in web.xml) are available for you for authorization configuration.

您可以从我的用于基本安全性的示例GitHub上的应用中获得启发测试.还有一个 Java带有REST资源的程序包.

You can take some inspiration from my sample app on GitHub used for basic security testing. There is also a Java package with REST resources.

看看WildFly的安全子系统实现中的以下代码:

Take a look at following code in the security subsystem implementation of WildFly:

• SimpleSecurityManager
• JbossAuthenticationManager extends JaasSecurityManagerBase

这篇关于Wildfly，JAAS和SecurityContext的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！