配置安全性以通过 WS 访问 EJB -- WFLYEJB0364 连接被拒绝 [英] Configuring security to access EJB through WS -- WFLYEJB0364 Connection rejected

问题描述

我已关注本教程使用密码 12345678 和角色 appCitas 配置用户 ejbuser.我遵循的说明是:

I have followed this tutorial to configure an user ejbuser with password 12345678 and role appCitas. The instructions that I followed are:

C:\wildfly-14.0.1.Final\bin>jboss-cli.bat
您目前已断开连接.键入connect"以连接到服务器，或键入help"以获取支持的命令列表.
[断开/]连接

C:\wildfly-14.0.1.Final\bin>jboss-cli.bat
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect

[standalone@localhost:9990/]/subsystem=elytron/filesystem-realm=proxyRealm:add(path=proxy-realm-users,relative-to=jboss.server.config.dir)
{"结果" => "成功"}

[standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=proxyRealm:add(path=proxy-realm-users,relative-to=jboss.server.config.dir)
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=elytron/filesystem-realm=proxyRealm:add-identity(identity=ejbuser)
{"结果" => "成功"}

[standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=proxyRealm:add-identity(identity=ejbuser)
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=elytron/filesystem-realm=proxyRealm:set-password(identity=ejbuser,clear={password=12345678})
{"结果" => "成功"}

[standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=proxyRealm:set-password(identity=ejbuser,clear={password=12345678})
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=elytron/filesystem-realm=proxyRealm:add-identity-attribute(identity=ejbuser,name=Roles,value=["guest", "appCitas"])
{"结果" => "成功"}

[standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=proxyRealm:add-identity-attribute(identity=ejbuser,name=Roles,value=["guest", "appCitas"])
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
{"结果" => "成功"}

[standalone@localhost:9990 /] /subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=elytron/security-domain=proxySD:add(default-realm=proxyRealm,permission-mapper=default-permission-mapper,realms=[{realm=proxyRealm,role-解码器=来自角色属性},{领域=本地}])
{"结果" => "成功"}

[standalone@localhost:9990 /] /subsystem=elytron/security-domain=proxySD:add(default-realm=proxyRealm,permission-mapper=default-permission-mapper,realms=[{realm=proxyRealm,role-decoder=from-roles-attribute},{realm=local}])
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=elytron/sasl-authentication-factory=proxy-application-sasl-authentication:add(mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=proxyRealm}]},{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=proxyRealm}]}],sasl-server-factory=configured,security-domain=proxySD)
{"结果" => "成功"}

[standalone@localhost:9990 /] /subsystem=elytron/sasl-authentication-factory=proxy-application-sasl-autentication:add(mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=proxyRealm}]},{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=proxyRealm}]}],sasl-server-factory=configured,security-domain=proxySD)
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=ejb3/application-security-domain=other:add(security-domain=proxySD)
{"结果" => "成功"}

[standalone@localhost:9990 /] /subsystem=ejb3/application-security-domain=other:add(security-domain=proxySD)
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory,value=proxy-application-sasl-autentication)
{结果"=>成功"，响应头"=> {操作需要重新加载"=> 真，进程状态"=>需要重新加载"}}

[standalone@localhost:9990 /] /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory,value=proxy-application-sasl-autentication)
{ "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } }

在 mi EJB 中，我有

In mi EJB, I have

@WebService(
  endpointInterface = "es.ssib.otic.test.prototipoEjbCitas.ApiCitasPublico",
  name = "ApiCitasEjb")
@RolesAllowed("apiCitas")
@Stateless
public class ApiCitasPublicoImpl
    implements ApiCitasPublico {

    @Override
    public @XmlElement(name = "pacienteCitaResponse", required = true) PacienteCitaResponse getPacienteCita(
        @WebParam(name = "datosSolicitante") @XmlElement(required = true) IdPeticion idPaciente) {
   ...
}

而我的 jboss-app.xml 是

<?xml version="1.0" encoding="UTF-8"?>
<jboss-app>
   <security-domain>other</security-domain>
</jboss-app>

耳朵正确部署并且没有显示任何日志问题，但我尝试从 SoapUI 访问方法并添加基本身份验证，使用:

The ear deploys correctly and it does not show any log problem, yet I try to access a method from SoapUI and I add a Basic Authentication, with:

• 用户名:ejbuser
• 密码:12345678
• 域:我尝试过其他、proxySD、proxyRealm 并将其留空
• 先发制人的身份验证:我已将域"的所有上述值与使用全局偏好"和先发制人的身份验证"结合起来.

在所有情况下，我都会得到一个

In all cases, I get a

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <soap:Fault>
       <faultcode>soap:Server</faultcode>
       <faultstring>WFLYEJB0364: Invocation on method: public es.ssib.otic.test.prototipoEjbCitas.beans.PacienteCitaResponse es.ssib.otic.test.prototipoEjbCitas.impl.ApiCitasPublicoImpl.getPacienteCita(es.ssib.otic.test.prototipoEjbCitas.beans.IdPeticion) of bean: ApiCitasPublicoImpl is not allowed</faultstring>
    </soap:Fault>
  </soap:Body>
</soap:Envelope>

如果我删除安全配置，我可以毫无问题地通过 SoapUI 访问.

If I remove the security configuration, I can access through SoapUI with no problems.

使用 WildFly 14.0.0.1 Final.

Working with WildFly 14.0.0.1 Final.

注意:这个问题与我之前的问题有些相关，但是由于我已经重新安装了wildfly并且我已经按照上面提到的教程一步一步地进行了操作，我认为最好将其作为单独的问题发布.

Note: This question is somewhat related to my previous one, but since I have reinstalled the wildfly and I have followed step by step the above mentioned tutorial, I think it is better to post it as a separate question.

按照@fjuma 的回答，我配置了以下内容:

Following the lead of @fjuma's answer, I have configured the following:

[standalone@localhost:9990/]/subsystem=elytron/http-authentication-factory=proxy-application-http-authentication:add(http-server-mechanism-factory=global,security-domain=proxySD,mechanism-配置=[{mechanism-name=BASIC,mechanims-realm-configuration=[{realm-name=proxyAD}]}])
{"结果" => "成功"}

[standalone@localhost:9990 /] /subsystem=elytron/http-authentication-factory=proxy-application-http-authentication:add(http-server-mechanism-factory=global,security-domain=proxySD,mechanism-configurations=[{mechanism-name=BASIC,mechanims-realm-configuration=[{realm-name=proxyAD}]}])
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=undertow/application-security-domain=proxyAD:add(http-authentication-factory=proxy-application-http-authentication)
{"结果" => "成功"}

[standalone@localhost:9990 /] /subsystem=undertow/application-security-domain=proxyAD:add(http-authentication-factory=proxy-application-http-authentication)
{"outcome" => "success"}

并将 jboss-app.xml 中 security-domain 的值更改为 proxyAD，我在部署耳朵时遇到错误:

And changed the value of security-domain in jboss-app.xml to proxyAD, I get an error deploying the ear:

{
"WFLYCTL0412:未安装所需的服务:" => ["jboss.security.security-domain.proxyAD"],
WFLYCTL0180:缺少/不可用依赖项的服务"=> [
"jboss.deployment.subunit.\"prototipoEarCitas-0.0.1-SNAPSHOT.ear\".\"prototipoEjbCitas-0.0.1-SNAPSHOT.jar\".component.ApiCitasPublicoImpl.CREATE 丢失 [jboss.security.security-domain.proxyAD]",
"jboss.ws.endpoint.\"prototipoEarCitas-0.0.1-SNAPSHOT.ear\".\"prototipoEjbCitas-0.0.1-SNAPSHOT.jar\".ApiCitasPublicoImpl 丢失 [jboss.security.security-domain.proxyAD]"
]
}

{
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.proxyAD"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.deployment.subunit.\"prototipoEarCitas-0.0.1-SNAPSHOT.ear\".\"prototipoEjbCitas-0.0.1-SNAPSHOT.jar\".component.ApiCitasPublicoImpl.CREATE is missing [jboss.security.security-domain.proxyAD]",
"jboss.ws.endpoint.\"prototipoEarCitas-0.0.1-SNAPSHOT.ear\".\"prototipoEjbCitas-0.0.1-SNAPSHOT.jar\".ApiCitasPublicoImpl is missing [jboss.security.security-domain.proxyAD]"
]
}

推荐答案

注意事项:

• 要使用 HTTP 基本身份验证，需要一个 Elytron http-authentication-factory.关于如何配置的文档可以在 此处.

• To make use of HTTP Basic authentication, an Elytron http-authentication-factory is needed. Documentation on how to configure this can be found here.

使用 HTTP Basic 身份验证时，还需要在 Undertow 子系统中添加 application-security-domain 映射.参见 https://developer.jboss.org/thread/276445 了解更多相关细节使用网络服务时.

When using HTTP Basic authentication, an application-security-domain mapping also needs to be added in the Undertow subsystem. See https://developer.jboss.org/thread/276445 for more details related to this when using webservices.

这是通过 WS 配置 EJB 访问的最后一组最小命令(在干净的全新 Wildfly 14.0.1 上测试.最终版):

This is the final minimal set of commands to configure EJBs access through WS (tested on a clean, brand new Wildfly 14.0.1. Final):

C:\wildfly-14.0.1.Final\bin>jboss-cli.bat
您目前已断开连接.输入'connect'连接到服务器或'help' 获取支持的命令列表.
[断开/]连接

C:\wildfly-14.0.1.Final\bin>jboss-cli.bat
You are disconnected at the moment. Type 'connect' to connect to the server or ' help' for the list of supported commands.
[disconnected /] connect

[standalone@localhost:9990/]/subsystem=elytron/properties-realm=proxyRealm:add(groups-attribute=groups,groups-properties={path=proxy-roles.properties,relative-to=jboss.server.config.dir},users-properties={path=proxy-users.properties,relative-to=jboss.server.config.dir,plain-text=true})
{结果"=>成功"}

[standalone@localhost:9990 /] /subsystem=elytron/properties-realm=proxyRealm:add(groups-attribute=groups,groups-properties={path=proxy-roles.properties,relative-to=jboss.server.config.dir},users-properties={path=proxy-users.properties,relative-to=jboss.server.config.dir,plain-text=true})
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=elytron/security-domain=proxySD:add(realms=[{realm=proxyRealm,role-decoder=groups-to-roles}],default-realm=proxyRealm,权限映射器=默认权限映射器)
{结果"=>成功"}

[standalone@localhost:9990 /] /subsystem=elytron/security-domain=proxySD:add(realms=[{realm=proxyRealm,role-decoder=groups-to-roles}],default-realm=proxyRealm,permission-mapper=default-permission-mapper)
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=elytron/http-authentication-factory=proxy-http-auth:add(http-server-mechanism-factory=global,security-domain=proxySD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=proxyRealm}]}]
{结果"=>成功"}

[standalone@localhost:9990 /] /subsystem=elytron/http-authentication-factory=proxy-http-auth:add(http-server-mechanism-factory=global,security-domain=proxySD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=proxyRealm}]}]
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=undertow/application-security-domain=proxySD:add(http-authentication-factory=proxy-http-auth)
{结果"=>成功"}

[standalone@localhost:9990 /] /subsystem=undertow/application-security-domain=proxySD:add(http-authentication-factory=proxy-http-auth)
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=elytron/sasl-authentication-factory=proxy-app-sasl-auth:add(mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=proxyRealm}]}],sasl-server-factory=configured,security-domain=proxySD)
{结果"=>成功"}

[standalone@localhost:9990 /] /subsystem=elytron/sasl-authentication-factory=proxy-app-sasl-auth:add(mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=proxyRealm}]}],sasl-server-factory=configured,security-domain=proxySD)
{"outcome" => "success"}

[standalone@localhost:9990/]/subsystem=ejb3/application-security-domain=proxySD:add(security-domain=proxySD)
{结果"=>成功"}

[standalone@localhost:9990 /] /subsystem=ejb3/application-security-domain=proxySD:add(security-domain=proxySD)
{"outcome" => "success"}

注意事项:

1. 您可能已经注意到，我从文件系统领域切换到了属性领域.这与问题无关，只是它使调试更容易.

1. As you may have noticed, I switched from a FileSystem realm to a Properties realm. This is not related to the issue, it is just that it made easier to debug.

Elytron 的安全域(在第 3 个命令中定义)、Undertow 的应用程序安全域(在第 4 个命令中定义)和 EJB 的 application-security-domain(在第 6 个命令中定义)都具有相同的名称 代理SD.三个子系统中的名称相同很重要，如果名称不同，可能会发生不好的事情(我还没有尝试过所有组合).

Elytron's security domain (defined at the 3rd command), Undertow's application security domain (defined at the 4th command) and EJB's application-security-domain (defined at the 6th command) have all the same name proxySD. That the name is the same in all three subsystems is important, and bad things can happen if they have different names (I have not tried out all the combinations).

基于 EJB 的 WS 必须使用先发制人的身份验证"调用，在第一个请求中发送身份验证数据，而无需服务器提示.战争中基于POJO的WS使用网页认证系统，无需抢先认证.

WS based on EJBs must be invoked with "authenticate pre-emptively", sending the authentication data in the first request without being prompted by the server. WS based on POJOs in a war use the authentication system for web pages, so there is no need to authentica pre-emptively.

这篇关于配置安全性以通过 WS 访问 EJB -- WFLYEJB0364 连接被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！