客户机未授权此调用JAX-RS EJB错误 [英] Client not authorized for this invocation JAX-RS EJB error
问题描述
我一直在寻找一个解决方案一段时间,这里...
I have been searching for a solution to this for a while, here goes...
我遵循本教程自动生成一个jax-rs Web服务数据库: https://netbeans.org/kb/docs/websvc/rest.html
I followed this tutorial to auto generate a jax-rs web service from a database: https://netbeans.org/kb/docs/websvc/rest.html
这很好,但是当我尝试通过使用@RolesAllowed(myRole)注释资源方法来保护应用程序时,我得到这个异常。 。
This works great, but when I try to secure the application by annotating the resource methods with @RolesAllowed("myRole"), I get this exception...
警告:EJB5184:在EJB许可证调用过程中发生系统异常LicenceFacadeREST,方法:public java.util.List resources.LicenceFacadeREST.findAll()
警告:javax.ejb.AccessLocalException:客户端未授权此调用
"WARNING: EJB5184:A system exception occurred during an invocation on EJB LicenceFacadeREST, method: public java.util.List resources.LicenceFacadeREST.findAll() WARNING: javax.ejb.AccessLocalException: Client not authorized for this invocation"
我已将其缩小到EJB JACC策略检查失败。当我在资源类中不使用EJB / JPA时,即使存在@RolesAllowed注释,也不会抛出异常。
I have narrowed it down to the EJB JACC policy check failing. When I do not use EJB/JPA in a resource class, the exception isn't thrown even when the @RolesAllowed annotation is present.
完整的glassfish堆栈跟踪在罚款print可以在这里找到 http://pastebin.com/AUPKWaqe
The full glassfish stack trace in fine print can be found here http://pastebin.com/AUPKWaqe
推荐答案
以下是一些额外的信息,我遵循下面的泽西安全指南。 https://jersey.java.net/documentation/latest/security.html#d0e10816 _
我使用ContainerRequestFilter进行身份验证,在这里我将设置一个SecurityContext的自定义实现,如果认证成功,rolealloweddynamic功能将与rolesallowed注释一起使用授权访问特定资源。
这三个组件允许我在应用程序级别进行身份验证和授权,而不是容器级别。
这很好,直到我的应用程序从一个servlet转换成一个EJB / servlet(我添加了一个无状态的ejb注释到jax-rs资源类)。 EJB使用rolesallowed注释来限制在容器级别访问其bean方法,因此它与我的应用程序级别身份验证/授权冲突。
Here's some extra information, I followed the Jersey security guide below. https://jersey.java.net/documentation/latest/security.html#d0e10816
I used the ContainerRequestFilter to authenticate, here I'd set a custom implementation of SecurityContext if the authentication was successful which the rolesalloweddynamic feature would use along with the rolesallowed annotations to authorise access to a specific resource.
These three components allowed me to authenticate and authorise on an application level, not on a container level.
This worked great until my application was converted from a servlet to a EJB/servlet (I added a stateless ejb annotation to a jax-rs resource class). EJB uses the rolesallowed annotation to restrict access to its bean methods at a container level, therefore it conflicted with my application level authentication/authorisation.
我还在搜索一个comphrensive解决方案,即使它是禁用EJB级别的方法安全性,所以我可以把它留给ContainerRequestFilter进行身份验证和rolesalloweddynamicfeature授权。
I'm still searching for a comphrensive solution, even if it's disabling EJB level method security so I can leave it to the ContainerRequestFilter to authenticate and the rolesalloweddynamicfeature to authorise.
这篇关于客户机未授权此调用JAX-RS EJB错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!