为什么Glassfish会生成一个不完整的approved.policy文件？ [英] Why would Glassfish generate an incomplete granted.policy file?

问题描述

版本： GlassFish Server 3.1.2.2（build 5）

我有一个 EAR 项目，其中包含一个 WAR 和一个 EAR 。

在EAR的 META-INF 文件夹中，我有一个 sun-application.xml 文件将一组角色映射到组。

在 Glassfish 的默认文件领域，我已经配置了映射的用户

我没有使用默认角色映射，我还没有激活安全管理员。

Access功能完美。这通过删除部署描述符进一步证明，当尝试无需登录时，会导致授权异常。

但是，当尝试访问看似随机（但一致）选择我的EJB，我对臭名昭着的Glassfish感到非常抱歉 javax.ejb.AccessLocalException：客户端未授权此调用异常。

我已尝试删除我生成的策略文件并重新部署服务器，但这不起作用。

当我查看我的EJB的Policy文件时，注意到受损的EJB授权丢失。

看起来，sun-application.xml文件中定义的每个组中的一个或两个角色将被错过。 p>

为什么Glassfish无法从（已验证）工作的 sun-application.xml 完整的策略文件c $ c>和（证明）集 @RolesAllowed 定义？

这是部署描述符：

 <！DOCTYPE sun-应用程序PUBLIC -  // Sun Microsystems，Inc.//DTD 
 GlassFish Application Server 3.0 Java EE Application 6.0 // EN
http://www.sun.com/software/appserver/dtds /sun-application_6_0-0.dtd\"> 
< sun-application> 
 
 
 
< security-role-mapping> 
< role-name> ViewAllData< / role-name> 
< role-name> BasicUser< / role-name> 
< group-name> BasicGroup< / group-name> 
< / security-role-mapping> 
 
< security-role-mapping> 
< role-name> DataSupervisor< / role-name> 
< group-name> DatasetSupervisors< / group-name> 
< / security-role-mapping> 
 
< security-role-mapping> 
< role-name> FindData< / role-name> 
< role-name> FindSubData< / role-name> 
< group-name> DatasetUsers< / group-name> 
< / security-role-mapping> 
 
< security-role-mapping> 
< role-name> ManageData< / role-name> 
< role-name> ManageSubData< / role-name> 
< role-name> InvokeDataload< / role-name> 
< group-name> DatasetManagers< / group-name> 
< / security-role-mapping> 
 
 
< security-role-mapping> 
< role-name> ResolveGroup1< / role-name> 
< role-name> ResolveGroup2< / role-name> 
< role-name> ResolveGroup3< / role-name> 
< group-name>解码器< / group-name> 
< / security-role-mapping> 
< / sun-application> 
  

由于某些原因，角色 ResolveGroup1 和尽管出现在几个EJB中：EJB被授予的文件中缺少 ViewAllData

 
 @Local（FindRegistrationFragmentController.class）
 @Interceptors（SpringBeanAutowiringInterceptor）（$ {code} @RolesAllowed（{ResolveGroup1}）
 @Stateless（mappedName =ejb / FindGroupOneController class）
 public class FindGroupOneControllerImpl implements FindGroupOneController {
 
 
 @RolesAllowed（{ViewAllData}）
 @Stateless（mappedName =ejb / ViewDataController）
 @Local（FindRegistrationFragmentController.class）
 @Interceptors（SpringBeanAutowiringInterceptor.class）
 public class ViewDataControllerImpl实现ViewDataController {
  

解决方案

除非有人可以告诉我，否则看起来我的问题原因是因为您只能使用一个角色-名称> 每个< security-role-mapping> 。

Version: GlassFish Server 3.1.2.2 (build 5)

I have an EAR project which contains a WAR and a single EAR.

In the META-INF folder of the EAR, I have a sun-application.xml file which maps a selection of roles to groups.

In the default file realm for Glassfish, I have configured users which map to these groups.

I am not using Default Role to Mapping and I have not actived the Security Manager.

Access works perfectly. This is further proven by removing the deployment descriptor, which causes an Authorization exception when trying to log in without it.

However when trying to access a seemingly random (but consistent) selection of my EJBs, I am greated with the infamous Glassfish "javax.ejb.AccessLocalException: Client not authorized for this invocation" exception.

I have tried to delete my generated Policy files and redeploy the server, but this does not work.

When I look into the Policy file for my EJB, straight away I notice that the afflicted EJB grants are missing.

It would appear that one or two roles per group as defined in the sun-application.xml file are being missed.

Why would Glassfish fail to generate a complete policy file from a (proven) working sun-application.xml and (proven) set of @RolesAllowed definitions?

Here's the deployment descriptor:

<!DOCTYPE sun-application PUBLIC "-//Sun Microsystems, Inc.//DTD 
GlassFish Application Server 3.0 Java EE Application 6.0//EN" 
"http://www.sun.com/software/appserver/dtds/sun-application_6_0-0.dtd">
<sun-application>



<security-role-mapping>
    <role-name>ViewAllData</role-name>
    <role-name>BasicUser</role-name>
    <group-name>BasicGroup</group-name>
</security-role-mapping>

<security-role-mapping>
    <role-name>DataSupervisor</role-name>
    <group-name>DatasetSupervisors</group-name>
</security-role-mapping>

<security-role-mapping>
    <role-name>FindData</role-name>
    <role-name>FindSubData</role-name>
    <group-name>DatasetUsers</group-name>
</security-role-mapping>

<security-role-mapping>
    <role-name>ManageData</role-name>
    <role-name>ManageSubData</role-name>
    <role-name>InvokeDataload</role-name>
    <group-name>DatasetManagers</group-name>
</security-role-mapping>


<security-role-mapping>
    <role-name>ResolveGroup1</role-name>
    <role-name>ResolveGroup2</role-name>
    <role-name>ResolveGroup3</role-name>
    <group-name>Decoders</group-name>
</security-role-mapping>
</sun-application>

For some reason, the roles ResolveGroup1 and ViewAllData are missing from the EJB granted.policy file, despite appearing in a couple of EJBs:

@RolesAllowed({"ResolveGroup1"})
@Stateless(mappedName = "ejb/FindGroupOneController")
@Local(FindRegistrationFragmentController.class)
@Interceptors(SpringBeanAutowiringInterceptor.class)
public class FindGroupOneControllerImpl implements FindGroupOneController{


@RolesAllowed({"ViewAllData"})
@Stateless(mappedName = "ejb/ViewDataController")
@Local(FindRegistrationFragmentController.class)
@Interceptors(SpringBeanAutowiringInterceptor.class)
public class ViewDataControllerImpl implements ViewDataController{

解决方案

Unless someone can tell me otherwise, it looks like the reason I was having problems is because you may use only one <role-name> per <security-role-mapping>.

这篇关于为什么Glassfish会生成一个不完整的approved.policy文件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！