Java EE 服务器上的动态角色 [英] dynamic roles on a Java EE server

查看:28
本文介绍了Java EE 服务器上的动态角色的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想在专用应用程序中管理用户和角色.例如,此应用程序的用户(customerX 老板")可以创建一个新角色customerX 员工".如果员工访问 Java EE 应用服务器 (GlassFish 3),他应该获得customerX 员工"角色.

I want to manage user and roles in a dedicated application. For example a user of this application ("customerX boss") can create a new role "customerX employee". If an employee accesses the Java EE application server (GlassFish 3) he should get the role "customerX employee".

听起来很简单,但 Java EE 并不支持,因为组在启动时映射到角色,而应用程序中的角色是静态的.

It sounds simple, but it is not supported by Java EE, because groups are mapped to roles at start-up time and the roles within the application are static.

在 Java EE (6) 环境中在运行时管理用户角色的最佳方法是什么?

What is the best way to manage user roles at runtime in a Java EE (6) environment?

推荐答案

Java EE 中的声明式安全性确实不适合此类需求.安全问题可以分为两部分:

The declarative security in Java EE is indeed no suited for such requirements. The problem of security can be split in two:

  • 认证
  • 授权

我曾经有过类似的要求.我们使用内置身份验证来设置主体,然后依赖默认的 Java EE 登录机制.但是我们最终在应用程序级别手动管理授权部分.

I had similar requirement once. We used the built-in authentication to have the principal set and relied then on the default Java EE login mechanisms. But we ended up managing the authorization part manually at the applicative-level.

实际上,甚至需要在 中指定将被加载并与主体关联的角色(对于 Web 而言为 isUserInRole,对于 EJB 而言为 isCallerInRole)web.xmlejb.xml 没有提供足够的灵活性.然后我们必须从 LDAP 或 ActiveDirectory 手动(根据主体)加载角色.然后我们使用 EJB3 拦截器和 Servlet 过滤器自行执行安全检查.

Indeed, even the roles that will be loaded and associated with the principal (isUserInRole for the web and isCallerInRole for the EJB) need to be specified in web.xml or ejb.xml which doesn't provide enough flexibility. We had then to load the roles manually (according to the principal) from LDAP or ActiveDirectory. We then used EJB3 interceptors and Servlet filter to perform the security checks ourselves.

然而,我强烈建议坚持基于角色的访问控制 (RBAC),不要实施更花哨的东西.有几个框架可以帮助处理自制的 RBAC.

I would however strongly suggest to stick to a Role-based access control (RBAC) and not implement something more fancy. There are several frameworks that can help to deal with home-made RBAC.

我们还了解了 JSecurityAcegi Security 他们看起来很有趣.

We also had a look at JSecurity and Acegi Security and they seemed interesting.

这篇关于Java EE 服务器上的动态角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆