JAX-WS web服务和@rolesAllowed [英] JAX-WS webservice and @rolesAllowed

问题描述

是否可以在JAX-WS webservice上使用 @RolesAllowed 批注，如果是这样？

我使用基本认证在glassfish 3.1.1上有web服务，但使用 @RolesAllowed 表示的限制将被忽略。角色信息应该是可用的，因为我可以像这样访问它：

  @Resource 
 WebServiceContext wsContext; 
 
 if（wsContext.isUserInRole（READ））
 log.info（Role：READ）; 
  

我得到预期的角色，但仍然可以访问所有方法，即使 @ RolesAllowed 被设置为不同的角色。 @DenyAll 不能正常工作。

如果不支持这些注释，是否可以使用部署描述符根据用户角色管理对web服务方法的访问权限？ oracle.com/javaee/6/tutorial/doc/bnbxj.html#bnbxu\">此部分的JAVA EE 6教程介绍了 @RolesAllowed 的用法。注解。它读取

对于Java EE组件，您使用@DeclareRoles和@RolesAllowed元数据注释来定义安全角色。

本教程的第一部分未将Web服务列为Java EE组件，因此看起来不支持安全注释。

Edit2
在伊丹的帖子后，我又试了一次。这是我做的：

  @Webservice 
 @DeclareRoles（value = {READ，UPDATE， $ DELETE}）
 public class ServiceImpl implements Service {
 @Override 
 @WebMethod（operationName =helloWorld）
 @RolesAllowed（{NONE}）
 public String helloWorld（）抛出Exception {
 returnHello World！; 
 
 
 
 
 $ b $ p 
 $ b 
使用这种设置，每个人都可以访问方法，无论设置什么角色。用户通过身份验证（可以在audit.log中看到）但未授权。如上所述，我可以从 WebServiceContext （我实际上使用此信息进行手动授权）访问角色。  
 
 
添加 @Stateless 注释，让我们使用安全注释。因此 @permitAll 按预期工作。但是使用角色仍然不起作用，因为用户现在不能进行身份验证。它们在审计日志中显示为 ANONYMOUS ，访问被拒绝。
 
 
 
我的 web.xml 看起来像这样： 
 
 
 <？xml version =1.0encoding = UTF-8\" >？; 
< web-app xmlns：xsi =http://www.w3.org/2001/XMLSchema-instancexmlns =http://java.sun.com/xml/ns/javaeexmlns ：web =http://java.sun.com/xml/ns/javaee/web-app_2_5.xsdxsi：schemaLocation =http://java.sun.com/xml/ns/javaee http：// java.sun.com/xml/ns/javaee/web-app_3_0.xsdversion =3.0> 
< display-name> OneMore< / display-name> 
 
< security-constraint> 
< display-name> WebServiceSecurity< / display-name> 
 
< web-resource-collection> 
< web-resource-name>仅限授权用户< / web-resource-name> 
< url-pattern> / service< / url-pattern> 
< http-method> POST< / http-method> 
< / web-resource-collection> 
 
< auth-constraint> 
<角色名称> READ< /角色名称> 
< role-name> UPDATE< / role-name> 
< role-name> DELETE< / role-name> 
< / auth-constraint> 
 
< / security-constraint> 
 
< login-config> 
< auth-method> BASIC< / auth-method> 
< / login-config> 
 
< security-role> 
<角色名称> READ< /角色名称> 
< / security-role> 
 
< security-role> 
< role-name> UPDATE< / role-name> 
< / security-role> 
 
< security-role> 
< role-name> DELETE< / role-name> 
< / security-role> 
< / web-app> 
  
  Glassfish-web.xml 名称到组名称，如下所示：
 < security-role-mapping> 
<角色名称> READ< /角色名称> 
< group-name> READ< / group-name> 
< / security-role-mapping> 
  
 编辑3  
感谢伊珊和无数次尝试最后得到它的工作。
 
 
 
如前所述，主要观点是通过添加 @Stateless 注释。这允许使用安全注释。
 
 
 
此更改还需要更改部署描述符。尽管原始Web服务需要 glassfish-web.xml 来设置角色，但是 glassfish-ejb-jar.xml 。    可能这是一个非常愚蠢的问题，但是您的web服务EJB是什么？正如 GlassFish和Java EE 5 SDK中的安全注释和授权中所述 
 
 
 
 
注释@PermitAll，@DenyAll和@RolesAllowed用于指定EJB业务方法的许可权
  blockquote> 
 
 
我将这些注释用于无状态EJB的自底向上WS，它们在JBoss中像一个魅力一样工作。
 
 
 
 
 
 
 编辑1  @TPete 
我会添加一些代码来向你展示我在做什么。  
 
 
  @Stateless 
 @WebService（）
 @WebContext（contextRoot = WSContextRoot.CTX_ROOT，
 authMethod = BASIC）
 @EndpointConfig（CONFIGNAME = 标准的WSSecurity端点）
 @SecurityDomain（值= myDeclaredDomain）
 @RolesAllowed（{ AUTHORIZED}）
 @SOAPBinding（style = SOAPBinding.Style.DOCUMENT）
 public class MyWS implements MyInterface {
 @Override 
 public void doSomething（）{
 // impl 
 } 
} 
  
至于界面
  @Remote 
 @WebService 
 public interface MyInterface {
 
 @WebMethod（operationName =doSomething）
 public void doSomething（）; 
} 
  
 WebContext，EndpointConfig和SecurityDomain是JBoss注释，但我想有类似的东西对于GlassFish，或者其等效的方式。安全域包含在jboss的部署描述符中，并在login-config.xml中由JBoss的配置文件定义。
 
 
 
 
 
 
 编辑2  @TPete 
 
 
 
我想你需要从Glassfish添加一些EJB部署描述符，一个 sun-ejb -jar.xml 文件包在您的EAR中。同样，从答复中发布的同一篇文章中，有一个使用部署描述符章节，它指出了 
 
 
 
 
对于使用 @RolesAllowed 的EJB Web服务端点，您需要指定要使用的认证类型，方法是指定 和   sun-ejb-jar.xml 中的元素。对于用户名密码认证，将元素设置为BASIC，如以下示例所示。这一步只对EJB Web服务端点是必需的，而对EJB来说则不需要。 ，我想你应该把这个描述符放在你的EAR中。快速浏览一下这篇文章，它很好地描述了你所遵循的过程： - ） 
Is it possible to use @RolesAllowed annotation on a JAX-WS webservice and if so how?

I have a webservice on glassfish 3.1.1 using Basic Authentication but restrictions expressed using @RolesAllowed are ignored. The role information should be available, as I can access it like this:
@Resource
WebServiceContext wsContext;

if (wsContext.isUserInRole("READ"))
log.info("Role: READ");
I get the expected role but still all methods are accessible, even if @RolesAllowed is set to different role. @DenyAll is not working as well.

If these annotations are not supported, is it possible to use deployment descriptors to manage access to webservice methods based on user roles?

Edit:
This part of the JAVA EE 6 tutorial describes the usage of @RolesAllowed annotation. It reads

  
For Java EE components, you define security roles using the @DeclareRoles and @RolesAllowed metadata annotations.
Web services are not listed as Java EE components in the first part of the tutorial, so it looks like the security annotations are not supported. 

Edit2
Following Izan's post, I gave this another try. Here is what I did:
@Webservice
@DeclareRoles(value = {"READ", "UPDATE", "DELETE"})
public class ServiceImpl implements Service {
  @Override
  @WebMethod(operationName = "helloWorld")
  @RolesAllowed({"NONE"})
  public String helloWorld() throws Exception {
     return "Hello World!";
  }
}
Using this kind of setup, everybody can access the method, no matter what roles are set. Users get authenticated (can see that in audit.log) but no authorization takes place. As stated above, I can access the role from WebServiceContext (I actually do manual authorization using this info). 

Adding @Stateless annotation, let's me use the security annotations. So @permitAll works as expected. But using roles still does not work, as user don't get authenticated now. They show up as ANONYMOUS in audit log and access is denied to them.

My web.xml looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
 <display-name>OneMore</display-name>

 <security-constraint>  
    <display-name>WebServiceSecurity</display-name>  

    <web-resource-collection>  
      <web-resource-name>Authorized users only</web-resource-name>  
      <url-pattern>/service</url-pattern>  
      <http-method>POST</http-method>
    </web-resource-collection>  

    <auth-constraint>       
       <role-name>READ</role-name>
       <role-name>UPDATE</role-name>
       <role-name>DELETE</role-name>
    </auth-constraint>  

 </security-constraint>  

 <login-config>
    <auth-method>BASIC</auth-method>
 </login-config>

 <security-role>
    <role-name>READ</role-name>
 </security-role>

 <security-role>
    <role-name>UPDATE</role-name>
 </security-role>

 <security-role>
    <role-name>DELETE</role-name>
 </security-role>
</web-app>
Glassfish-web.xml just maps role names to group names, like this:
<security-role-mapping>
   <role-name>READ</role-name>
   <group-name>READ</group-name>
</security-role-mapping>
Edit 3
Thanks to Izan and countless tries later I finally got it working.

As said before, the main point was switching from a plain web service to an EJB web service by adding @Stateless annotation. This allows for using the security annotations.

This change required to change the deployment descriptors as well. While the original web service required a glassfish-web.xml for setting up the roles, a glassfish-ejb-jar.xml is required afterwards. 
解决方案
Maybe this is a pretty dumb question, but are your webservices EJBs? As noted in Security Annotations and Authorization in GlassFish and the Java EE 5 SDK

  
The annotations @PermitAll, @DenyAll and @RolesAllowed are defined for specifying permissions of EJB business method
I use those annotations with bottom-up WS from stateless EJBs and they work like a charm in JBoss.



EDIT 1 @TPete
I'll add some code to show you more or less what I'm doing. 
@Stateless
@WebService()
@WebContext(contextRoot = WSContextRoot.CTX_ROOT, 
    authMethod = "BASIC")
@EndpointConfig(configName = "Standard WSSecurity Endpoint")
@SecurityDomain(value = "myDeclaredDomain")
@RolesAllowed({ "AUTHORISED" })
@SOAPBinding(style = SOAPBinding.Style.DOCUMENT)
public class MyWS implements MyInterface {
    @Override
    public void doSomething(){
        //impl
    }
}
And as for the interface
@Remote
@WebService
public interface MyInterface {

    @WebMethod(operationName="doSomething")
    public void doSomething(); 
}
WebContext, EndpointConfig and SecurityDomain are JBoss annotation, but I suppose there is something similar for GlassFish, or an equivalent way of doing it. The security domain is included in a deployment descriptor for jboss, and defined in the login-config.xml from the configuration files of JBoss.



EDIT 2 @TPete 

I suppose you need to add some EJB deployment descriptors from Glassfish, a sun-ejb-jar.xml file package inside your EAR. Again, from the same article as posted in the answer, there is a Using Deployment Descriptors chapter that states

  
For EJB web service endpoints with @RolesAllowed, you need to specify the type of authentication to use by specifying the  and  elements in sun-ejb-jar.xml. For username-password authentication, set the  element to BASIC, as shown in the following example. This step is required only for EJB web service endpoints, and is not required for EJBs.
Since you are defining an EJB web service endpoint, I think you should put this descriptor in you EAR. Have a quick look at that article, it describes quite well the process you are following :-)

                        
这篇关于JAX-WS web服务和@rolesAllowed的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！