JAX-RS + EJB，ejb中的SecurityContext为null，在WildFly 10.1上 [英] JAX-RS + EJB, SecurityContext inside ejb is null, on WildFly 10.1

问题描述

我正在首次开发(尝试)利用ejb安全功能的JavaEE应用程序. 我正在使用WildFly 10.1. 我创建了一个Jdbc安全域并配置了一个基于表单的登录名.对Web方法和URL路径的访问以及登录工作权限(防止对未经授权的访问，并在登​​录后授权访问).

I am developing for the first time a JavaEE application that (tries to..)employs the ejb security features. I am working with WildFly 10.1. I have created a Jdbc security-domain and configured a form-based login. The access to web methods and url paths and the login work right (prevents the access to unauthorized ones and authorizes access after login).

我有一组实现(Jax-RS)REST接口的bean，还有一组实现我的应用程序业务逻辑的ejb Stateless bean.

I have a set of beans that implements the (Jax-RS) REST interface and I have a set of ejb Stateless bean that implements the business logic of my application.

这些是jboss-web.xml和web.xml的片段:

These are the snipped of jboss-web.xml and web.xml:

<jboss-web>
    <security-domain>myDomain</security-domain>
</jboss-web>

web.xml:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/api/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>administrator</role-name>
        <role-name>operator</role-name>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
<login-config><!-- 3 -->
    <auth-method>FORM</auth-method>
    <realm-name>myRealm</realm-name>
    <form-login-config>
    <form-login-page>/public/login.html</form-login-page>
    <form-error-page>/public/error.html</form-error-page>
    </form-login-config>
</login-config>

以下是实现REST接口和Java Bean的代码示例，我删除了bolerplate代码，并模糊了与用例"相关的名称. 一个Jax-RS bean的示例:

Here follows the examples of the code implementing the REST interface and the java beans, I have deleted bolerplate code and obfuscated my "use case" related names. Example of one Jax-RS bean:

@Stateless
@Path("api/my")
public class myFacadeREST {
    @EJB
    myFacade myFacade;

    @Context  //injected response proxy supporting multiple threads
    private HttpServletResponse response;

    @POST
    @Consumes({MediaType.APPLICATION_JSON})
    public void create(DataStuff entity) {
        myFacade.create(entity);
    }

    @GET
    @Path("{id}")
    @Produces({MediaType.APPLICATION_JSON})
    public DataStuff find(@PathParam("id") String id) {
        return myFacade.find(id);
    }
}

以及注入的EJB的代码段，在这些代码段中，我需要以编程方式访问安全性上下文和主体信息:

And the snippet of the injected EJB, where I need to programmatically access the security context and principal informations:

@DeclareRoles({"administrator","operator","user"})
@PermitAll
@Stateless
public class myFacade {

    @PersistenceContext(unitName = "myPersistencePU")
    private EntityManager em;

    @Context SecurityContext securityContext;
    @Resource SecurityContext sc; //I have tried both :-(

    public DataStuff find(Object id) {
        //Here I get a NullPointerException, tried both sc and securitycontext
        String username = securityContext.getUserPrincipal().getName();
        if(username.equals("gino"){
            return null;
        }
        return getEntityManager().find(entityClass, id);
    }
}

我尝试使用@DeclareRoles和@PermitAll，但不使用它们，但securityContext和sc变量始终为null.也许我错过了一些事情，但我了解到安全信息在bean调用中会神奇地移动.

I have tried with and without @DeclareRoles, @PermitAll, but the securityContext and sc variables are allways null. Perhaps I miss something but I have understood that security infos magically moves throught bean calls.

问题

• 如何将安全上下文从Jax-RS类传播到 ejb豆?
• 安全信息是否按照我的预期自动管理?或..
• 我是否需要改进或添加其他jboss-?. xml配置文件? 或..
• 我是否需要更改调用Jax-RS Bean中的某些内容，以便 将安全信息传播到被调用的bean?或..
• 还是做错了什么?

• How do I propagate the security context from the Jax-RS class to the ejb beans?
• Is the security info managed auto-magically as I expected? or..
• Do I need to improve or add other jboss-?.xml configuration files? or..
• Have I to change something in the calling Jax-RS beans in order to propagate the security informations to the called beans? or..
• Or am doing something wrong?

预先感谢您 问候

推荐答案

我找到了答案，已经有人问了这个问题

I have found the answer, the question was already asked here

SecurityContext仅用于JAX-RS Bean，需要将一个EJBContext对象代替SecurityContext注入一个JavaBean中. 您也可以使用SessionContext对象，但EJBContext接口类似于SecurityContext.这是工作版本:

SecurityContext is only for the JAX-RS bean, you need to inject an EJBContext object inplace of SecurityContext one into the other java beans. You can also use the SessionContext object but EJBContext interface resembles the SecurityContext one. Here is the working version:

@DeclareRoles({"administrator","operator","user"})
@PermitAll
@Stateless
public class myFacade {

    @PersistenceContext(unitName = "myPersistencePU")
    private EntityManager em;

    @Resource EJBContext securityContext;

    public DataStuff find(Object id) {
        //Now the securityContext is != null :-D
        String username = securityContext.getCallerPrincipal().getName();
        if(username.equals("gino"){
            return null;
        }
        return getEntityManager().find(entityClass, id);
    }
}

这篇关于JAX-RS + EJB，ejb中的SecurityContext为null，在WildFly 10.1上的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！