如何使@RolesAllowed注释适用于我的Web应用程序? [英] How do I get the @RolesAllowed annotation to work for my Web application?
本文介绍了如何使@RolesAllowed注释适用于我的Web应用程序?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我是(相对较新)的Web开发,因此我只是开始掌握了很多基本的概念和技术。我正在尝试使用用户和角色构建一个权限系统到Web应用程序,但我似乎不能使@RolesAllowed注释在我的RESTful Web服务中工作。我已经在处理这个问题了几天。
我有一个称为 UserResource.java的RESTful资源(Java Enterprise / Session Bean?) >,在这里我有一个方法创建为应用程序创建一个新用户:
import java.net.URI中;
import java.security.Principal;
import java.util.List;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.EJB;
import javax.ejb.Stateless;
import javax.ws.rs。*;
import javax.ws.rs.core。*;
import org.jboss.ejb3.annotation.SecurityDomain;
@Stateless
@SecurityDomain(other)
@Path(/ user)
public class UserResource {
@EJB(name = UserServiceImp)
UserService userService;
@Context
private UriInfo uriInfo;
@RolesAllowed({admin})
@Path(create)
@POST
public Response create(CreateRequest request){
尝试{
System.out.println(Create of create method);
用户user = userService.createUser(request);
return getCreateResponse(user);
}
catch(异常e){
return Response.status(401).entity(无法创建用户)。
}
}
}
这个创建方法可以使用@PermitAll注释,但如果我使用@RolesAllowed注释,它将失败,并出现错误。
我有这个Backbone视图CreateUserView ,它向最终用户提供了一个表单(以HTML格式),用于为应用程序创建新用户(具有管理员权限)。点击提交按钮后,JSON数据将发送到url'rest / user / create'以创建新用户。在执行 UserResource.java 之前的创建方法之前,我的SecurityInterceptor.java (实现 javax.ws.rs.container)。 ContainerRequestFilter )检查用户是否具有所需的权限。我已经调试了这个彻底的安全拦截器正常运行。所以在安全拦截器提供明确的访问权限之后,在UserResource.java 中出现问题。 (作为附注,不知道这是否重要,但我相信安全拦截器是基于这篇关于RESTEasy安全性的博客文章我正在和另一个人一起工作,他最初实施了这个应用程序,不知道..但是看起来几乎是相同的,反正那家伙几个星期前已经转到另一个项目。)
我得到的错误(从服务器)如下:
16:45:25,775错误[org.jboss.as.ejb3.invocation](默认任务-60)JBAS014134:组件UserResource上EJB调用失败方法public javax.ws.rs.core.Response org.profit.pgb.rest.resource.UserResource.create(org.profit.pgb.rest.api.CreateRequest): javax.ejb.EJBAccessException:JBAS014502:对方法的调用:public javax.ws.rs.core.Response org.profit.pgb.rest.resource.UserResource.create(org.profit.pgb.rest .api.CreateRequest)的bean:不允许使用UserResource
在org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:135)[wildfly-ejb3-8.1.0.Final.jar: 8.1.0.Final]
在org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
在org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java: 95)[wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
在org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
在org.jboss .as.ejb3.component.interceptors.ShutDownInterceptorFactory $ 1.processInvocation(ShutDownInterceptorFactory.java:64)[wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
在org.jboss.invocation。 InterceptorContext.proceed(InterceptorContext.java:309)
在org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)[wildfly-ejb3-8.1.0.Final.jar: 8.1.0.Final]
at o rg.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
在org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
在org.jboss。 invocation.InterceptorContext.proceed(InterceptorContext.java:309)
在org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)[wildfly-ejb3-8.1.0.Final。 jar:8.1.0.Final]
在org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
在org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
在org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
在org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
在org.wildfly .security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)
在org.jboss.invocation.AccessChecking InterceptorContext.vb 326)
在org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
在org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
在org .jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
在org.jboss.as.ee.component.ViewService $ View.invoke(ViewService.java:185)
在org.jboss .as.ee.component.ViewDescription $ 1.processInvocation(ViewDescription.java:182)
在org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
在org.jboss.invocation。 ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
在org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyIn vocationHandler.java:73)
在org.profit.pgb.rest.resource.UserResource $$$ view45.create(Unknown Source)[classes:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native方法)[rt.jar:1.8.0_11]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)[rt.jar:1.8.0_11]
at sun.reflect.DelegatingMethodAccessorImpl。 invoke(DelegatingMethodAccessorImpl.java:43)[rt.jar:1.8.0_11]
在java.lang.reflect.Method.invoke(Method.java:483)[rt.jar:1.8.0_11]
在org.jboss.weld.util.reflection.Reflections.invokeAndUnwrap(Reflections.java:401)[weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
在org.jboss.weld.bean.proxy.EnterpriseBeanProxyMethodHandler.invoke(EnterpriseBeanProxyMethodHandler.java:99)[weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.jboss.weld.bean.proxy.EnterpriseTargetBeanInstance.invoke(EnterpriseTargetBeanInstance.java:56)[weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
a t org.jboss.weld.bean.proxy.InjectionPointPropagatingEnterpriseTargetBeanInstance.invoke(InjectionPointPropagatingEnterpriseTargetBeanInstance.java:65)[weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:100)[weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
在org .profit.pgb.rest.resource.UserResource $ Proxy $ _ $$ _ Weld $ EnterpriseProxy $ .create(Unknown Source)[classes:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)[rt.jar :1.8.0_11]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)[rt.jar:1.8.0_11]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java: 43)[rt.jar:1.8.0_11]
在java.lang.reflect.Method.invoke(Method.java:483)[rt.jar:1.8.0_11]
在org.jboss。 resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)[resteasy-jaxrs-3.0.8.Final.jar:]
在org.j (org.blog.google.com/) :250)[resteasy-jaxrs-3.0.8.Final.jar:]
在org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:237)[resteasy-jaxrs-3.0.8.Final .jar:]
在org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)[resteasy-jaxrs-3.0.8.Final.jar:]
在org.jboss。 resteasy.rar .java:220)[resteasy-jaxrs-3.0.8.Final.jar:]
在org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)[resteasy-jaxrs -3.0.8.Final.jar:]
在org.jboss.resteasy.plugins.server .servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)[resteasy-jaxrs-3.0.8.Final.jar:]
在javax.servlet.http.HttpServlet.service(HttpServlet.java:790)[jboss -servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
在io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)[undertow-servlet-1.0 .15.Final.jar:1.0.15.Final]
在io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)[undertow-servlet-1.0.15.Final.jar :1.0.15.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
在io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)[undertow-核心1.0.15.Final.jar:1.0.15.Fin al]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.server .handler.PredicateHandler.handleRequest(PredicateHandler.java:25)[undertow-core-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler .java:51)[undertow-core-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)[undertow- core-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityCo nstraintHandler.java:61)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)[undertow-core-1.0.15 .Final.jar:1.0.15.Final]
在io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)[undertow-servlet-1.0.15.Final.jar:1.0 .15.Final]
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)[undertow-core-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)[undertow-core-1.0.15.Final.jar:1.0.15.Final]
在org.wildfly.extension。 undertow.security.jacc.JACCContextIdHan dler.handleRequest(JACCContextIdHandler.java:61)
在io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)[undertow-core-1.0.15.Final.jar:1.0.15。 io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
在io .undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.servlet.handlers.ServletInitialHandler .dispatchRequest(ServletInitialHandler.java:227)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.servlet.handlers.ServletInitialHandler.access $ 000(ServletInitialHandler.java: 73. [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.servlet.handlers.ServletInitialHandler $ 1.handleRequest(ServletInitialHandler.java:146)[undertow-servlet- 1.0.15.Final.jar:1.0.15.Final]
在io.undertow.serv er.Connectors.executeRootHandler(Connectors.java:177)[undertow-core-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.server.HttpServerExchange $ 1.run(HttpServerExchange.java :727)[undertow-core-1.0.15.Final.jar:1.0.15.Final]
在java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)[rt.jar:1.8。 0_11]
在java.util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:617)[rt.jar:1.8.0_11]
在java.lang.Thread.run(Thread.java :745)[rt.jar:1.8.0_11]
16:45:25,957 ERROR [io.undertow.request](默认任务-60)UT005023:异常处理请求到/ pgb / rest / user / create:org.jboss.resteasy.spi.UnhandledException:javax.ejb.EJBAccessException:JBAS014502:对方法的调用:public javax.ws.rs.core.Response org.profit.pgb.rest.resource.UserResource.create( org.profit.pgb.rest.api.CreateRequest)的bean:不允许使用UserResource
在org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(Exc eptionHandler.java:76)[resteasy-jaxrs-3.0.8.Final.jar:]
在org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)[resteasy-jaxrs-3.0。 8.Final.jar:]
在org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)[resteasy-jaxrs-3.0.8.Final.jar:]
在org .jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)[resteasy-jaxrs-3.0.8.Final.jar:]
在org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher。 java:179)[resteasy-jaxrs-3.0.8.Final.jar:]
在org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)[resteasy-jaxrs- 3.0.8.Final.jar:]
在org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)[resteasy-jaxrs-3.0.8.Final.jar:]
在org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatch er.java:51)[resteasy-jaxrs-3.0.8.Final.jar:]
在javax.servlet.http.HttpServlet.service(HttpServlet.java:790)[jboss-servlet-api_3.1_spec- 1.0.0.Final.jar:1.0.0.Final]
在io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)[undertow-servlet-1.0.15.Final.jar: 1.0.15.Final]
在io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在org.wildfly .extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
在io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)[undertowcore1.0.15.Final .jar:1.0.15.Final]
在io.undertow.servlet.handlers.security.SSLI nformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler。 java:56)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)[undertow-core -1.0.15.Final.jar:1.0.15.Final]
在io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)[undertow-core-1.0.15.Final.jar :1.0.15.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)[undertow-servlet-1.0.15.Final.ja r:1.0.15.Final]
在io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)[undertow-servlet-1.0.15.Final.jar:1.0.15。 io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io .undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.security.handlers .SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)[undertow-core-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java :25)[undertow-core-1.0.15.Final.jar:1.0.15.Final]
在org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
在io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)[undertow-core-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.server.handlers .PropertyHandler.handleRequest :240)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)[undertow-servlet- $ 0.15 $ f($) :1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler $ 1.handleRequest(ServletInitialHandler.java:146)[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)[und ertow-core-1.0.15.Final.jar:1.0.15.Final]
在io.undertow.server.HttpServerExchange $ 1.run(HttpServerExchange.java:727)[undertow-core-1.0.15.Final .jar:1.0.15.Final]
在java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)[rt.jar:1.8.0_11]
在java.util.concurrent。 ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:617)[rt.jar:1.8.0_11]
在java.lang.Thread.run(Thread.java:745)[rt.jar:1.8.0_11]
导致:javax.ejb.EJBAccessException:JBAS014502:对方法的调用:public javax.ws.rs.core.Response org.profit.pgb.rest.resource.UserResource.create(org.profit.pgb.rest。 api.CreateRequest)的bean:不允许使用UserResource
在org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:135)[wildfly-ejb3-8.1.0.Final.jar:8.1 .0.Final]
在org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
在org.jboss.as.ejb3.security.SecurityConte xtInterceptor.processInvocation(SecurityContextInterceptor.java:95)[wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
在org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
在org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory $ 1.processInvocation(ShutDownInterceptorFactory.java:64)[wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
在org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at ...等(由于SO的字符限制问题,未完全显示)
我看到其他人提出类似的问题,有些仍然没有答复到今天(例如 jax-rs服务RolesAllowed注释抛出异常)和其他具有解决方案这不适合我,或者我不能正确应用解决方案(例如 RESTEasy支持对于JAX-RS @RolesAllowed )。
我发现这个: https://developer.jboss.org/thread/177728?start=0&tstart=0 (标题为:@ RolesAllowed, @DenyAll需要存在org.jboss.ejb3.annotation.SecurityDomain?),在尝试解决方案,但我无法让它为我的项目工作。不确定解决方案是否不适用于我的情况,或者我只是做错了。
我发现这个: https://developer.jboss.org/message/720815 (标题:这是处理org.jboss的缺陷。 ejb3.annotation.SecurityDomain?),但我不明白我的jboss-ejb-client.properties应该是在哪里。我认为他们的项目与我非常不同。所以没有运气。
我发现 EJB3安全性指南,如我所建议的,我在我的 standalone.xml -file中提供了以下代码:
< security-domain name =othercache-type =default>
< authentication>
< login-module code =Remotingflag =可选>
< module-option name =password-stackingvalue =useFirstPass/>
< / login-module>
< login-module code =RealmDirectflag =required>
< module-option name =password-stackingvalue =useFirstPass/>
< / login-module>
< / authentication>
< / security-domain>
但是根本没有解决任何问题。我不知道是否做了任何事情。
最后,我发现这个问题:对于JAX-RS @RolesAllowed的RESTEasy支持(引用 RESTEasy文档)。即使我也提到这个问题几个段落,包含一个不适用于我的解决方案,但它确实将错误更改为另一个错误。如我所建议的那样,我向我的
<?xml version =1.0encoding =UTF-8?>
< web-app version =2.5xmlns =http://java.sun.com/xml/ns/javaeexmlns:xsi =http://www.w3.org/2001/ XMLSchema-instancexsi:schemaLocation =http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd\">
< security-constraint>
< web-resource-collection>
< web-resource-name> PGB< / web-resource-name>
< url-pattern> / *< / url-pattern>
< http-method> GET< / http-method>
< http-method> POST< / http-method>
< / web-resource-collection>
< user-data-constraint>
<! - 当指定CONFIDENTIAL时,需要使用SSL - >
< transport-guarantee> CONFIDENTIAL< / transport-guarantee>
< / user-data-constraint>
< / security-constraint>
< context-param>
< param-name> resteasy.role.based.security< / param-name>
< param-value> true< / param-value>
< / context-param>
< / web-app>
如果我尝试创建一个新用户(由于未完全发布在此处),导致以下错误这个问题的字符限制):
16:58:45,992 WARN [org.jboss.resteasy.core.ExceptionHandler] task-61)无法执行:javax.ws.rs.ForbiddenException:HTTP 403 Forbidden
在org.jboss.resteasy.plugins.interceptors.RoleBasedSecurityFilter.filter(RoleBasedSecurityFilter.java:45)[resteasy-jaxrs-3.0 .8.Final.jar:]
at ...等
此错误是实际上,当我搜索该错误时,我发现更少的信息比当我搜索上一个错误时。所以,我不知道这是否是向正确方向迈出的一步。从服务器返回的是什么?状态500(内部服务器错误)或状态403(禁止)?另外,如果在应用解决方案之后,我将注释更改为@PermitAll,那么新用户的创建就像以前一样工作,所以并没有使情况更糟。
但是,我可以找到 RoleBasedSecurityFilter的源代码,这表明它抛出 ForbiddenException 。它表明某个 isUserInRole 方法必须返回true,但它不会在我的应用程序中。我不能让它返回真的。这让我很奇怪,是否可以禁用RESTEasy的RoleBasedSecurityFilter.java?
我还发现以下SO问题: @RolesAllowed无法用泽西岛解决,由Abhijit Sarkar回答,他提到 IBM文章。也许解决我的问题在于,但我还没有找到它..无论如何,建议那里添加一个安全角色块到我的web.xml em> -file或者添加一个 @DeclareRoles 注释到我的 UserResource.java 文件应该可以解决问题,但是HTTP 403 Forbidden警告在我这样做之后仍然存在。这是非常令人沮丧的。
我的安全角色块(在web.xml中)如下所示:
< security-role id =role_admin>
< description>这是角色1(admin)< / description>
< role-name> admin< / role-name>
< / security-role>
我添加了以下 security-constraint 块(在web.xml中):(注意 auth-constraint )
< security-constraint>
< web-resource-collection>
< web-resource-name> PGB< / web-resource-name>
< url-pattern> / rest / user / create< / url-pattern>
< http-method> GET< / http-method>
< http-method> POST< / http-method>
< / web-resource-collection>
< auth-constraint id =AuthConstraint_createUser>
< description>只有管理员可以创建新用户< / description>
< role-name> admin< / role-name>
< / auth-constraint>
< user-data-constraint>
<! - 当指定CONFIDENTIAL时,需要使用SSL - >
< transport-guarantee> CONFIDENTIAL< / transport-guarantee>
< / user-data-constraint>
< / security-constraint>
我现在意识到我的问题在于部署描述符( web.xml )或服务器配置(WildFly的 standalone-full.xml )。
我添加了一个 login-config 元素(使用 FORM身份验证)到我的 web.xml 文件。更改了我的登录HTML页面,以适应所需格式。我遵循了本文中关于迁移Java EE应用程序从GlassFish到WildFly ,但我认为我仍然做错了,因为我总是在登录错误页面尝试使用有效的用户凭据登录。
请参阅这里添加到我的WildFly配置的 security-domain 元素:
code>< security-domain name =appcache-type =default>
< authentication>
< login-module code =Databaseflag =required>
< module-option name =dsJndiNamevalue =java:jboss / datasources / mySQL_pool_rel/>
< module-option name =principalsQueryvalue =select hashed_password from user where email_address =?/>
<module-option name=\"rolesQuery\" value=\"select role_name, ’Roles’ from role r inner join user u on r.role_type = u.role_type where u.email_address = ?\"/>
<module-option name=\"hashAlgorithm\" value=\"SHA-256\"/>
<module-option name=\"hashEncoding\" value=\"BASE64\"/>
<module-option name=\"unauthenticatedIdentity\" value=\"guest\"/>
</login-module>
<login-module code=\"RoleMapping\" flag=\"required\">
<module-option name=\"rolesProperties\" value=\"file:${jboss.server.config.dir}/app.properties\"/>
<module-option name=\"replaceRole\" value=\"false\"/>
</login-module>
< / authentication>
</security-domain>
I think something is wrong with my rolesQuery defined there, but I can’t figure out what.
I would love to know how to implement role-based security for my Web application. Therefore, I also accept other approaches to role-based security, as long as it works. Suggestions are welcome.
I also placed my question on developer.jboss.org, but I also got no response there yet.
I provided one workaround solution to my problem as an answer to this question, but it is not a real solution (as explained in that answer). I am still interested in doing this the right way.
解决方案
Just had the same problem.
It’s the @Stateless annotation. The marks your class as an EJB and the container attempts to enforce EJB security.
I discovered this by writing filters and my own SecurityContext, only to find that my SecurityContext was never referenced.
Removing @Stateless resulted in getUserPrincipal() being called on the SecurityContext.
I am making a Web application using Backbone.js, Bootstrap, NetBeans IDE 8.0, Java EE 7, JDK 8, WildFly server 8.1.0, JBoss RESTEasy (resteasy-jaxrs-3.0.8), JBoss 2.2.22, JBoss EJB 3.
I am (relatively) new to Web development, and as such I have only just started to grasp a lot of basic concepts and technologies. I am trying to build a permission system with users and roles into a Web application, but I cannot seem to make the @RolesAllowed annotation to work in my RESTful Web Service. I am already working on this problem for a few days.
I have a RESTful resource (Java Enterprise/Session Bean?) called UserResource.java, in here I have a method create to create a new user for the application:
import java.net.URI;
import java.security.Principal;
import java.util.List;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.EJB;
import javax.ejb.Stateless;
import javax.ws.rs.*;
import javax.ws.rs.core.*;
import org.jboss.ejb3.annotation.SecurityDomain;
@Stateless
@SecurityDomain("other")
@Path("/user")
public class UserResource {
@EJB(name = "UserServiceImp")
UserService userService;
@Context
private UriInfo uriInfo;
@RolesAllowed({"admin"})
@Path("create")
@POST
public Response create(CreateRequest request) {
try {
System.out.println("Start of create method");
User user = userService.createUser(request);
return getCreateResponse(user);
}
catch (Exception e){
return Response.status(401).entity("Failed to create user").build();
}
}
}
This create method works if I use the @PermitAll annotation, but it fails with an error if I use the @RolesAllowed annotation.
I have this Backbone view CreateUserView which provides a form (in HTML) to an end user (with admin rights) for creating new users for the application. On clicking the submit button, JSON data gets send to the url 'rest/user/create' for creating a new user. Before the create method in UserResource.java gets executed, my SecurityInterceptor.java (which implements javax.ws.rs.container.ContainerRequestFilter) checks if the user has the required permissions. I have debugged this thorough and the Security Interceptor is functioning as it should. So after the Security Interceptor gives clear access, something goes wrong in UserResource.java. (As a side note, not sure if this is important, but I believe the Security Interceptor is based on this blog post about RESTEasy security. I was working on the application with another guy, he initially implemented it, so I'm not sure.. but it looks almost identical. Anyway that guy has moved on to another project a few weeks ago.)
The error I am getting (output from the server) is the following:
16:45:25,775 ERROR [org.jboss.as.ejb3.invocation] (default task-60) JBAS014134: EJB Invocation failed on component UserResource for method public javax.ws.rs.core.Response org.profit.pgb.rest.resource.UserResource.create(org.profit.pgb.rest.api.CreateRequest): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public javax.ws.rs.core.Response org.profit.pgb.rest.resource.UserResource.create(org.profit.pgb.rest.api.CreateRequest) of bean: UserResource is not allowed
at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:135) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:95) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)
at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73)
at org.profit.pgb.rest.resource.UserResource$$$view45.create(Unknown Source) [classes:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_11]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_11]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_11]
at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0_11]
at org.jboss.weld.util.reflection.Reflections.invokeAndUnwrap(Reflections.java:401) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.jboss.weld.bean.proxy.EnterpriseBeanProxyMethodHandler.invoke(EnterpriseBeanProxyMethodHandler.java:99) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.jboss.weld.bean.proxy.EnterpriseTargetBeanInstance.invoke(EnterpriseTargetBeanInstance.java:56) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.jboss.weld.bean.proxy.InjectionPointPropagatingEnterpriseTargetBeanInstance.invoke(InjectionPointPropagatingEnterpriseTargetBeanInstance.java:65) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:100) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
at org.profit.pgb.rest.resource.UserResource$Proxy$_$$_Weld$EnterpriseProxy$.create(Unknown Source) [classes:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_11]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_11]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_11]
at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0_11]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:237) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.8.Final.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_11]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_11]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11]
16:45:25,957 ERROR [io.undertow.request] (default task-60) UT005023: Exception handling request to /pgb/rest/user/create: org.jboss.resteasy.spi.UnhandledException: javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public javax.ws.rs.core.Response org.profit.pgb.rest.resource.UserResource.create(org.profit.pgb.rest.api.CreateRequest) of bean: UserResource is not allowed
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.8.Final.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_11]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_11]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11]
Caused by: javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public javax.ws.rs.core.Response org.profit.pgb.rest.resource.UserResource.create(org.profit.pgb.rest.api.CreateRequest) of bean: UserResource is not allowed
at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:135) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:95) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.1.0.Final.jar:8.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at ... etc. (not fully shown due to SO's character limit on questions..)
I've seen other people ask similar questions, some which remain unanswered to this day (e.g. jax-rs service RolesAllowed Annotation throwing exception) and others which have solutions that either do not work for me or maybe I do not apply the solution correctly (e.g. RESTEasy support for JAX-RS @RolesAllowed).
I found this: https://developer.jboss.org/thread/177728?start=0&tstart=0 (titled: "@RolesAllowed, @DenyAll require presence of org.jboss.ejb3.annotation.SecurityDomain?"), In tried the solution but I cannot get it to work for my project. Not sure if the solution is not applicable for my situation or if I'm just doing it wrong.
I found this: https://developer.jboss.org/message/720815 (titled: "is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?"), but I do not understand where my jboss-ejb-client.properties are supposed to be. I think they set their project up quite different from me. So no luck with that.
I found a guide on EJB3 security, as suggested there, I provided the following code in my standalone.xml-file:
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
But that did not solve anything at all. I am not sure if it did anything.
Finally, I found this SO question: RESTEasy support for JAX-RS @RolesAllowed (which references to the RESTEasy Documentation). Even though I also mentioned this question a few paragraphs up as containing a solution that does not work for me, it did change the error to another error. As suggested there I added a <context-param>-block to my web.xml-file:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<security-constraint>
<web-resource-collection>
<web-resource-name>PGB</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<!-- use of SSL is required when CONFIDENTIAL is specified -->
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
</web-app>
Which results in the following error if I try to create a new user (not completely posted here due to character limit of SO questions):
16:58:45,992 WARN [org.jboss.resteasy.core.ExceptionHandler] (default task-61) failed to execute: javax.ws.rs.ForbiddenException: HTTP 403 Forbidden
at org.jboss.resteasy.plugins.interceptors.RoleBasedSecurityFilter.filter(RoleBasedSecurityFilter.java:45) [resteasy-jaxrs-3.0.8.Final.jar:]
at ... etc.
This error is not very helpful either, in fact, I find even less information when I search on that error than when I search on the previous error. So, I am not sure if that is a step into the right direction. What is better to have returned from the server? A status 500 (Internal Server Error) or a status 403 (Forbidden)? Also, if after applying that "solution" I change the annotation to @PermitAll, then the creation of a new user works just as before, so it didn't really make the situation any worse.
However, I can find the source code of RoleBasedSecurityFilter, which shows that it throws the ForbiddenException. It shows that a certain isUserInRole method must return true, but it does not do that in my application. I can't get it to return true. It makes me wonder, Is it possible to disable RoleBasedSecurityFilter.java of RESTEasy?
I also found the following SO question: @RolesAllowed cannot be resolved with Jersey, which is answered by Abhijit Sarkar, and he refers to an IBM article. Maybe the solution to my problem lies in there, but I have not found it yet.. Anyway, it is suggested there that either adding a security-role block to my web.xml-file or adding a @DeclareRoles annotation to my UserResource.java file should solve the problem, but the HTTP 403 Forbidden warning still remains after I do so. It is very frustrating.
My security-role block (in web.xml) looks as follows:
<security-role id="role_admin">
<description>This is role 1 (admin)</description>
<role-name>admin</role-name>
</security-role>
And I added the following security-constraint block (in web.xml): (note the auth-constraint)
<security-constraint>
<web-resource-collection>
<web-resource-name>PGB</web-resource-name>
<url-pattern>/rest/user/create</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_createUser">
<description> Only admin can create a new user</description>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<!-- use of SSL is required when CONFIDENTIAL is specified -->
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I realize now that my problem lies either in the deployment descriptors (web.xml) or the server configuration (WildFly's standalone-full.xml).
I added a login-config element (with FORM authentication) to my web.xml file. Changed my login HTML page to fit the required format. I followed some of the step of this article on migrating a Java EE App from GlassFish to WildFly, but I think I still did something wrong because I always get at the login error page when trying to log in with valid user credentials.
See here the security-domain element I added to my WildFly configuration:
<security-domain name="app" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/mySQL_pool_rel"/>
<module-option name="principalsQuery" value="select hashed_password from user where email_address=?"/>
<module-option name="rolesQuery" value="select role_name, 'Roles' from role r inner join user u on r.role_type = u.role_type where u.email_address = ?"/>
<module-option name="hashAlgorithm" value="SHA-256"/>
<module-option name="hashEncoding" value="BASE64"/>
<module-option name="unauthenticatedIdentity" value="guest"/>
</login-module>
<login-module code="RoleMapping" flag="required">
<module-option name="rolesProperties" value="file:${jboss.server.config.dir}/app.properties"/>
<module-option name="replaceRole" value="false"/>
</login-module>
</authentication>
</security-domain>
I think something is wrong with my rolesQuery defined there, but I can't figure out what.
I would love to know how to implement role-based security for my Web application. Therefore, I also accept other approaches to role-based security, as long as it works. Suggestions are welcome.
I also placed my question on developer.jboss.org, but I also got no response there yet.
I provided one workaround solution to my problem as an answer to this question, but it is not a real solution (as explained in that answer). I am still interested in doing this the right way.
解决方案
Just had the same problem.
It's the @Stateless annotation. The marks your class as an EJB and the container attempts to enforce EJB security.
I discovered this by writing filters and my own SecurityContext, only to find that my SecurityContext was never referenced.
Removing @Stateless resulted in getUserPrincipal() being called on the SecurityContext.
这篇关于如何使@RolesAllowed注释适用于我的Web应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
