客户机未授权此调用JAX-RS EJB错误 [英] Client not authorized for this invocation JAX-RS EJB error

问题描述

我一直在寻找一个解决方案一段时间，这里...

I have been searching for a solution to this for a while, here goes...

我遵循本教程自动生成一个jax-rs Web服务数据库： https://netbeans.org/kb/docs/websvc/rest.html

I followed this tutorial to auto generate a jax-rs web service from a database: https://netbeans.org/kb/docs/websvc/rest.html

这很好，但是当我尝试通过使用@RolesAllowed（myRole）注释资源方法来保护应用程序时，我得到这个异常。 。

This works great, but when I try to secure the application by annotating the resource methods with @RolesAllowed("myRole"), I get this exception...

警告：EJB5184：在EJB许可证调用过程中发生系统异常LicenceFacadeREST，方法：public java.util.List resources.LicenceFacadeREST.findAll（）
警告：javax.ejb.AccessLocalException：客户端未授权此调用

"WARNING: EJB5184:A system exception occurred during an invocation on EJB LicenceFacadeREST, method: public java.util.List resources.LicenceFacadeREST.findAll() WARNING: javax.ejb.AccessLocalException: Client not authorized for this invocation"

我已将其缩小到EJB JACC策略检查失败。当我在资源类中不使用EJB / JPA时，即使存在@RolesAllowed注释，也不会抛出异常。

I have narrowed it down to the EJB JACC policy check failing. When I do not use EJB/JPA in a resource class, the exception isn't thrown even when the @RolesAllowed annotation is present.

完整的glassfish堆栈跟踪在罚款print可以在这里找到 http://pastebin.com/AUPKWaqe

The full glassfish stack trace in fine print can be found here http://pastebin.com/AUPKWaqe

推荐答案

以下是一些额外的信息，我遵循下面的泽西安全指南。 https://jersey.java.net/documentation/latest/security.html#d0e10816 _
我使用ContainerRequestFilter进行身份验证，在这里我将设置一个SecurityContext的自定义实现，如果认证成功，rolealloweddynamic功能将与rolesallowed注释一起使用授权访问特定资源。
这三个组件允许我在应用程序级别进行身份验证和授权，而不是容器级别。


这很好，直到我的应用程序从一个servlet转换成一个EJB / servlet（我添加了一个无状态的ejb注释到jax-rs资源类）。 EJB使用rolesallowed注释来限制在容器级别访问其bean方法，因此它与我的应用程序级别身份验证/授权冲突。

Here's some extra information, I followed the Jersey security guide below. https://jersey.java.net/documentation/latest/security.html#d0e10816

I used the ContainerRequestFilter to authenticate, here I'd set a custom implementation of SecurityContext if the authentication was successful which the rolesalloweddynamic feature would use along with the rolesallowed annotations to authorise access to a specific resource. These three components allowed me to authenticate and authorise on an application level, not on a container level.

This worked great until my application was converted from a servlet to a EJB/servlet (I added a stateless ejb annotation to a jax-rs resource class). EJB uses the rolesallowed annotation to restrict access to its bean methods at a container level, therefore it conflicted with my application level authentication/authorisation.

我还在搜索一个comphrensive解决方案，即使它是禁用EJB级别的方法安全性，所以我可以把它留给ContainerRequestFilter进行身份验证和rolesalloweddynamicfeature授权。

I'm still searching for a comphrensive solution, even if it's disabling EJB level method security so I can leave it to the ContainerRequestFilter to authenticate and the rolesalloweddynamicfeature to authorise.

这篇关于客户机未授权此调用JAX-RS EJB错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！