角色/权限在 Websphere Liberty 中不起作用 [英] Roles / Authorities not working in Websphere Liberty
问题描述
我正在尝试让 Spring 安全角色与 websphere 自由一起工作.我知道我已经正确设置了我的自由,因为我编写了一个非常简单的 servlet 3 应用程序,它具有基于角色的限制,并且它在具有相同角色限制的同一台服务器上工作.
I'm trying to get spring security roles to work with websphere liberty. I know I've got my liberty setup properly because I wrote a very simple servlet 3 app with role based restrictions and it worked on the same server with the same role restrictions.
这是我的 SecurityConfig 的相关部分:
Here is the relevant section of my SecurityConfig:
@Override
protected void configure(final HttpSecurity http) throws Exception {
LOGGER.info("adding testing constraint");
http.authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic();
if (appProperties.isContainerManaged()) {
LOGGER.info("using container managed");
http.jee().mappableRoles("TESTING", "ADMIN");
}
http.csrf().disable()
.logout()
.permitAll();
}
以上是在服务器日志中打印出使用容器管理",所以我知道这是有效的:)
The above is printing out "using container managed" in the server logs so I know that's working :)
在我的控制器中,我传入了主体:
In my controller I am passing in the principal:
public String index(final Model model, final Principal principal, final HttpSession session,
final HttpServletRequest request) {
但是当我打电话时:
Authentication authentication = (Authentication) principal;
authentication.getAuthorities()
我一无所获.
这里是 server.xml 的相关部分:
Here is the relevant section of server.xml:
<application type="war" id="security-sample" name="security-test"
location="${server.config.dir}apps/security-sample.war">
<application-bnd>
<security-role name="TESTING">
<user name="myuser" />
</security-role>
</application-bnd>
</application>
我挖得更深一些.我将应用程序转换为使用 WebSpherePreAuthenticatedProcessingFilter.(我很震惊这方面的文档太少了).我加载了过滤器,但它在 Liberty 上失败了:
I've dug a bit deeper. I converted the app to use the WebSpherePreAuthenticatedProcessingFilter. (I was shocked how little docs there are on this). I got the filter to load but it fails on Liberty with:
javax.naming.NameNotFoundException: UserRegistry
javax.naming.NameNotFoundException: UserRegistry
这看起来是一个已知问题:
This looks to be a known problem:
据我所知,如果您使用容器管理的安全性,Spring Security 几乎不支持 Liberty.您可以获取用户信息,但不能获取组/角色/权限信息.
From what I can tell, Liberty is just barely supported in Spring Security if you are using container managed security. You can get the user information, but not the group / role / authority info.
更新:
我更进一步,我现在可以让用户的组自由显示,但不能显示通过安全角色映射的角色.
I got a bit farther, I can now get a user's groups to show up in liberty but NOT the roles that are mapped via security-role.
这是诀窍.我创建了一个获取用户组的 LibertyPreAuthenticatedWebAuthenticatedDetailsSource.我在这里使用了调用:http://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/rwlp_sec_apis.html 以找出如何获得用户的组.
Here's the trick. I created a LibertyPreAuthenticatedWebAuthenticatedDetailsSource that get's the user's groups. I used the calls here: http://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/rwlp_sec_apis.html to figure out how to get the groups for a user.
现在我只需要弄清楚如何使用映射的安全角色......
Now I just need to figure out how to use the mapped security roles....
推荐答案
我已经在 Java 11.0.8、Open Liberty 20.0.0.8 和 Spring Boot 2.3.1 中使用了这个.这是相关的安全配置.@DeclareRoles 是启用 ROLE_ACTUATOR 映射所必需的,.hasRole(ACTUATOR") 方法调用是不够的.
I've got this working with Java 11.0.8, Open Liberty 20.0.0.8 and Spring Boot 2.3.1. Here's the relevant Security Configuration. @DeclareRoles was necessary to enable the ROLE_ACTUATOR mapping, the .hasRole("ACTUATOR") method call was not sufficient.
@Configuration
@EnableWebSecurity(debug=true)
@EnableGlobalMethodSecurity(jsr250Enabled = true)
@DeclareRoles({"ROLE_SERVICE","ROLE_ACTUATOR"})
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http)
throws Exception
{
http.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.jee().mappableRoles("ACTUATOR","SERVICE")
;
}
server.xml 的相关部分
The relevant portions of server.xml
<basicRegistry>
<user name="wsAdmin" password="{hash}ATAAAAAI4h/5AWC+TLRAAAAAIOI2KiXXXDx7mesI2R99XTI1D1rskbx2IGeOsroCkqZh"/>
<user name="wsService" password="{hash}ATAAAAAItVt5WPc0H/NAAAAAIGSCDtS7RkFRXeG6v3hOqUAkcAdLme5Pmx1bSNsk9kVN"/>
</basicRegistry>
<webApplication context-root="sample" type="war" location="C:\Deploy\sample-0.0.1-SNAPSHOT.war" >
<application-bnd>
<security-role name="ROLE_SERVICE">
<user name="wsService" />
</security-role>
<security-role name="ROLE_ACTUATOR">
<user name="wsAdmin" />
</security-role>
</application-bnd>
</webApplication>
为映射生成这些日志条目
Generating these log entries for the mapping
[2020-09-29T14:55:50.212-0400] 0000002f SystemOut O 2020-09-29 14:55:50.211 DEBUG 11460 --- [ecutor-thread-9] p.j.J2eePreAuthenticatedProcessingFilter : PreAuthenticated J2EE principal: wsService
[2020-09-29T14:55:50.213-0400] 0000002f SystemOut O 2020-09-29 14:55:50.212 DEBUG 11460 --- [ecutor-thread-9] p.j.J2eePreAuthenticatedProcessingFilter : preAuthenticatedPrincipal = wsService, trying to authenticate
[2020-09-29T14:55:50.217-0400] 0000002f SystemOut O 2020-09-29 14:55:50.217 DEBUG 11460 --- [ecutor-thread-9] henticatedWebAuthenticationDetailsSource : J2EE roles [[ROLE_SERVICE]] mapped to Granted Authorities: [[ROLE_SERVICE]]
[2020-09-29T14:56:43.558-0400] 00000035 SystemOut O 2020-09-29 14:56:43.558 DEBUG 11460 --- [cutor-thread-13] p.j.J2eePreAuthenticatedProcessingFilter : PreAuthenticated J2EE principal: wsAdmin
[2020-09-29T14:56:43.558-0400] 00000035 SystemOut O 2020-09-29 14:56:43.558 DEBUG 11460 --- [cutor-thread-13] p.j.J2eePreAuthenticatedProcessingFilter : preAuthenticatedPrincipal = wsAdmin, trying to authenticate
[2020-09-29T14:56:43.559-0400] 00000035 SystemOut O 2020-09-29 14:56:43.559 DEBUG 11460 --- [cutor-thread-13] henticatedWebAuthenticationDetailsSource : J2EE roles [[ROLE_ACTUATOR]] mapped to Granted Authorities: [[ROLE_ACTUATOR]]
这篇关于角色/权限在 Websphere Liberty 中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!