从WildFly安全地调用EJB [英] Invoke EJB from WildFly safely

查看:180
本文介绍了从WildFly安全地调用EJB的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述



我试图在企业中重写我的旧应用程序,业务的方式。

所以,我有一个Swing客户端,登录模块和我自己的服务器从头创建。客户端使用ssl证书加密与服务器的TCP连接(我在客户端上检查服务器和服务器证书上的客户端证书),然后使用服务器使用数据库对用户进行身份验证和授权。

I'm trying to re-write my old application in enterprise, "business" way.
So, I've got a Swing client with login module and my own server created from scratch. The client use ssl certificate to encrypt TCP connection to the server (I check client certificate on server and server certificate on client) and then server use database to authenticate and authorize the user.


现在我试图让它与WildFly 8 CR1主持的ejb一起工作。
我想使用相同的客户端 - 服务器密钥对将Swing客户端连接到WildFly服务器,然后使用MySQL数据源中存储的名称和凭据对用户进行身份验证。我也有角色存储在数据库中,我想使用它们来配置客户端主体。

Now I'm trying to get it working with ejb hosted by WildFly 8 CR1. I want to use the same client-server keys pair to connect Swing client to WildFly server and then authenticate user with name and credentials stored in MySQL datasource. I have also roles stored in database and I want to use them to configure client principals.


我有简单的基本EJB调用:

I have simple, basic EJB invocation:

Context ctx = new InitialContext();
MyBeanRemote bean = (MyBeanRemote)ctx.lookup("AppName/module-0.0.1-SNAPSHOT/MyBean!my.app.MyBeanRemote");
ResultType result = bean.doSomething();


我有jndi.properties文件

I have jndi.properties file

java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory
java.naming.provider.url=http-remoting://myServer:8080
jboss.naming.client.ejb.context=true
java.naming.security.principal=app-user-name
java.naming.security.credentials=password@123


我有基本的数据源配置

And I have basic datasource configuration

<datasource jta="false" jndi-name="java:jboss/datasources/MyDB" pool-name="MyDB" enabled="true" use-ccm="false">
<connection-url>jdbc:mysql://localhost:3306/Mydb</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<driver>mysql-connector-java-5.1.28-bin.jar</driver>
<security>
  <user-name>mysqlUser</user-name>
  <password>mysqlPass</password>
</security>
<validation>
  <validate-on-match>false</validate-on-match>
  <background-validation>false</background-validation>
</validation>
<statement>
  <share-prepared-statements>false</share-prepared-statements>
</statement>
</datasource>


以上所有内容都可以正常工作。

Everything above works fine.


我已经阅读了一些指南,但仍然没有找到描述如何使用复合的:EJB(而不是Web)+ WildFly 8(不是JBoss 7)+加密通过SSL +通过数据源验证和授权与登录客户端模块

I have read some guides but still haven't find the one describes how to use composite of: EJB (not web) + WildFly 8 (not JBoss 7) + encryption by SSL + authenticate and authorization via datasource with login client module


任何帮助将不胜感激。

Any help will be appreciated.

对于我的英语,我经常用这种语言阅读,而不是写:)

Sorry for my english, I often use this language for reading, not writing:)

推荐答案

您将会创建一个映射到standalone.xml文件中的远程连接器的安全域,如下所示:

You would neet to create a security realm mapped to your remoting connector in the standalone.xml file, like such:

<management>  
   <security-realms>  
    <security-realm name="MyRealm">  
      <authentication>  
        <jaas name="my-domain"/>  
      </authentication>  
    </security-realm>  
</management>  

<subsystem xmlns="urn:jboss:domain:remoting:1.1">
  <connector name="remoting-connector" socket-binding="remoting" security-realm="MyRealm"/>
</subsystem>

然后,您应该使用适当的LoginModule(内置的或您的自己):

Then you should enable the security domain with a proper LoginModule (a built-in one, or a your own):

<security-domains>
    <security-domain name="my-domain" cache-type="default">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                <module-option name="dsJndiName" value="java:jboss/datasources/serviceDS"/>
                <module-option name="principalsQuery" value="SELECT identificationCode FROM devices WHERE name=?"/>
                <module-option name="rolesQuery" value="SELECT 'device', 'Roles' FROM devices WHERE name=?"/>
            </login-module>
        </authentication>
    </security-domain>
</security-realms>

当然,数据源应该指向一个数据库,查询将找到适当的主体(用户)和他们的角色。
请务必查看两篇有关远程处理的文章: https://docs.jboss.org/author/display/AS71/Remote+EJB+invocations+via+JNDI+-+EJB+client+API+or +远程命名+项目 https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+client+using+JNDI 。看起来你正在使用旧的远程处理 - JBoss 7不再支持客户端登录模块。最重要的是你的ejb远程配置应该看起来更像(注意不允许的本地用户!):

Of course the datasource should point to a database in which the queries would find proper principals (users) and their roles. Be sure to check out two articles about remoting: https://docs.jboss.org/author/display/AS71/Remote+EJB+invocations+via+JNDI+-+EJB+client+API+or+remote-naming+project and https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+client+using+JNDI. It seems like you are using the "old" remoting - the client login module is no longer supported from JBoss 7. The bottom line is that your ejb remoting config should look more like (notice the local users which are disallowed!):

remote.connections=default
remote.connection.default.host=localhost
remote.connection.default.port=8080
remote.connection.default.username=userName
remote.connection.default.password=password
remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

请务必查看 https:// github。 com / wildfly / quickstart / tree / master / ejb-remote

最后,记得在jboss-ejb3.xml中添加安全域映射: / p>

Finally, remember to add your security domain mapping in your jboss-ejb3.xml:

<jboss:ejb-jar>
  <assembly-descriptor>  
    <s:security>     
      <ejb-name>*</ejb-name>    
      <s:security-domain>my-domain</s:security-domain>       
    </s:security>  
   </assembly-descriptor>
</jboss:ejb-jar

这篇关于从WildFly安全地调用EJB的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆