Java EE声明性安全性,无法为JDBC领域用户加载组 [英] Java EE declarative security, Cannot load group for JDBC realm user
问题描述
这是我在这里的第一篇文章。关于声明性Java EE安全性,我有两个问题:(1)基于文件的身份验证和(2)基于数据库的身份验证。我为这两个问题附上了配置的相关部分。我在Glassfish 3.1.1上运行代码。也提前感谢您的同意。
It is my first post here. I would have two questions with regard to declarative Java EE security: (1) file-based authentication and (2) DB-based authentication. I enclosed the relevant parts of the configuration for both questions. I run the code on Glassfish 3.1.1. Thank you for your assitance also in advance.
我也在寻找我的问题的答案,并找到了一些有用的例子,我也把它放在信息的底部。我试图跟随它们,所以配置的当前状态可以包含这些样本的详细信息,但它们没有解决问题。
I was also looking for answers to my questions and found some useful examples which I put also at the bottom of the message. I tried to follow them so the present state of the configuration can contain details from these samples but they did not solve the problem.
- 基于文件的身份验证可以正常工作勾选默认的角色映射主体,否则即使将主体添加到映射中它也不起作用。我可能没有以正确的方式配置。
-File-based authentication works all right if the "default principal to role mapping" is ticked otherwise it did not work even if a principal was added to the mapping. I might have configured something not in the right manner.
基于-DB的身份验证。就授权而言,它无法正常工作,因为无法读取组名。详情见下文。认证可以正常工作,即用户被识别。我甚至尝试重命名表格以避免与Glassfish的一些内部内容发生潜在的名称冲突...
-DB-based authentication. It did not work as far as authorization is concerned because the group names could not be read. See details below. Authentication works all right i.e. the user is recognised. I have even tried with renaming the tables to avoid potential name collision with some internal stuff of Glassfish...
(1)基于文件的身份验证:
文件领域,2个用户:用户,管理员添加并分配给组:用户和管理员
(配置/服务器配置/安全/领域/文件 - >管理用户)
(1) File based authentication: File realm, 2 useres: user, admin added and assigned to the groups: user and admin (configurations/server-config/security/realms/file -> Manage Users)
配置/ server-config / security
默认主体到角色映射勾选 - >它工作
默认主体到角色映射未勾选 - >它确实即使将其添加到安全性映射中也不起作用。
configurations/server-config/security Default Principal To Role Mapping "ticked" -> it works Default Principal To Role Mapping "not ticked" -> it does not work even if the is added to the security mapping.
web.xml
[...]
<security-constraint>
<display-name>Admin Pages</display-name>
<web-resource-collection>
<web-resource-name>Protected Admin Area</web-resource-name>
<description/>
<url-pattern>/faces/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>User Pages</display-name>
<web-resource-collection>
<web-resource-name>Protected Users Area</web-resource-name>
<description/>
<url-pattern>/faces/users/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/faces/loginForm.xhtml</form-login-page>
<form-error-page>/faces/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
[...]
glassfish-web.xml:
<glassfish-web-app>
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>user</role-name>
<group-name>user</group-name>
</security-role-mapping>
</glassfish-web-app>
没有默认主映射的记录错误:
Logged errors without the default principal mapping:
- 没有Principal映射到Role [user]。
- 没有校长映射到角色[admin]。
Log without the default principal mapping:
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
<principal-name>admin</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>user</role-name>
<group-name>user</group-name>
<principal-name>user</principal-name>
</security-role-mapping>
没有默认主体映射的记录错误:
1.没有Principal映射到Role [user ]。
2.没有Principal映射到Role [admin]。
Logged errors without the default principal mapping: 1. No Principals mapped to Role [user]. 2. No Principals mapped to Role [admin].
(2)基于数据库身份验证:
Realm将上述领域更改为web.xml中的jdbcRealm
Realm changed the above realm to jdbcRealm in the web.xml
-
1)mn(用户和组表之间的多对多关系)
1) m-n (many-to-many relationship between the users and groups table)
SEC1111,无法为JDBC领域用户加载组[ tamas]。
SEC1111, Cannot load group for JDBC realm user [tamas].
2)1-n相同(用户和群组表之间的一对多关系)
2) same for 1-n (one-to-many relationship between the users and groups table)
SEC1111,无法为JDBC领域用户[tamas]加载组。
SEC1111, Cannot load group for JDBC realm user [tamas].
3)组名与用户名在同一个表中密码
3) group name in the same table as user name and password
SEC1111,无法为JDBC领域用户[tamas]加载组。
SEC1111, Cannot load group for JDBC realm user [tamas].
领域配置:
(我还尝试将分配组留空或填写默认但结果是相同的。)
Realm configuration: (I also tried to leave "Assign Groups" blank or to fill in "default" but the result was the same. )
Image had to be omitted, summary:
JAAS context: jdbcRealm
JNDI: jdbc/securityDataSource
User Table: TBLUSERS
User Name Column: USERNAME
Password Column: PASSWORD
Group Table: TBLGROUPS
Group Name Column: GROUPNAME
Assign Groups: default
Digest Algorithm: none
DB ER关于mn关系的图表:
图片必须省略,但作为补偿:-)你找到下面的SQL脚本。
Image had to be omitted but as compensation :-) you find the SQL script below.
SQL Script:
SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0;
SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0;
SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='TRADITIONAL';
CREATE SCHEMA IF NOT EXISTS `jdbcrealm` ;
USE `jdbcrealm` ;
-- -----------------------------------------------------
-- Table `jdbcrealm`.`TBLUSERS`
-- -----------------------------------------------------
DROP TABLE IF EXISTS `jdbcrealm`.`TBLUSERS` ;
CREATE TABLE IF NOT EXISTS `jdbcrealm`.`TBLUSERS` (
`USERID` INT NOT NULL AUTO_INCREMENT ,
`USERNAME` VARCHAR(30) NOT NULL ,
`PASSWORD` VARCHAR(45) NOT NULL ,
UNIQUE INDEX `USERNAME_UNIQUE` (`USERNAME` ASC) ,
PRIMARY KEY (`USERID`) )
ENGINE = InnoDB;
-- -----------------------------------------------------
-- Table `jdbcrealm`.`TBLGROUPS`
-- -----------------------------------------------------
DROP TABLE IF EXISTS `jdbcrealm`.`TBLGROUPS` ;
CREATE TABLE IF NOT EXISTS `jdbcrealm`.`TBLGROUPS` (
`GROUPID` INT NOT NULL AUTO_INCREMENT ,
`GROUPNAME` VARCHAR(30) NOT NULL ,
PRIMARY KEY (`GROUPID`) )
ENGINE = InnoDB;
-- -----------------------------------------------------
-- Table `jdbcrealm`.`USERS_GROUPS`
-- -----------------------------------------------------
DROP TABLE IF EXISTS `jdbcrealm`.`USERS_GROUPS` ;
CREATE TABLE IF NOT EXISTS `jdbcrealm`.`USERS_GROUPS` (
`USER_USERID` INT NOT NULL ,
`GROUP_GROUPID` INT NOT NULL ,
PRIMARY KEY (`USER_USERID`, `GROUP_GROUPID`) ,
INDEX `fk_USER_has_GROUP_GROUP1` (`GROUP_GROUPID` ASC) ,
INDEX `fk_USER_has_GROUP_USER` (`USER_USERID` ASC) ,
CONSTRAINT `fk_USER_has_GROUP_USER`
FOREIGN KEY (`USER_USERID` )
REFERENCES `jdbcrealm`.`TBLUSERS` (`USERID` )
ON DELETE NO ACTION
ON UPDATE NO ACTION,
CONSTRAINT `fk_USER_has_GROUP_GROUP1`
FOREIGN KEY (`GROUP_GROUPID` )
REFERENCES `jdbcrealm`.`TBLGROUPS` (`GROUPID` )
ON DELETE NO ACTION
ON UPDATE NO ACTION)
ENGINE = InnoDB;
SET SQL_MODE=@OLD_SQL_MODE;
SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS;
SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS;
我在这里复制了一些关于这个主题的有趣的Google搜索链接,对我有帮助。最初,我跟着第二个。也许其他人也会觉得它们很有用。
I copy here some interesting, googled links on the topic which were helpful to me. Originally, I followed the second one. Maybe other people will also find them useful.
- http://docs.oracle.com/javaee/6/tutorial/doc/bnbxj.html
- http://blog.eisele.net/2011 /01/jdbc-security-realm-and-form-based.html
- ...还有一些我不得不省略,因为可能只包含两个链接第一篇文章。
感谢您阅读目前为止。祝福,
Thank you for reading so far. Best wishes,
Tamas
第2部分
感谢您的回复。我创建了2个具有一对多关系的新表用户和组。在领域配置页面上,我设置了用户名,密码和组的表名和列。 Matt的评论也与链接一致(见下文我不能在这里发布)
Part 2 Thank you for the responses. I created 2 new tables user and group with one-to-many relationship. On the realm config page I set the table names and the columns for the username, pwd, and groups. Matt's comment is also in line with the link (see below I cannot post it here)
[...]
有趣这里的部分是对于用户表和组表,我使用
v_user_role作为属性的值。 v_user_role是一个包含用户和组信息的数据库
视图。 i
没有直接使用users表的原因是因为glassfish假定
用户表和组表包含一个包含
用户名的列,这将导致重复数据。
[...]
[...] Interesting part here is that for user table and group table I used v_user_role as the value for the property. v_user_role is a database view that contains both user and group information. The reason i didn't use the users table directly is because glassfish assumes that both the user table and the group table contain a column containing the user name and that would result in duplicate data. [...]
-- -----------------------------------------------------
-- Table `jdbcrealm`.`user`
-- -----------------------------------------------------
DROP TABLE IF EXISTS `jdbcrealm`.`user` ;
CREATE TABLE IF NOT EXISTS `jdbcrealm`.`user` (
`userid` VARCHAR(30) NOT NULL ,
`password` VARCHAR(45) NOT NULL ,
PRIMARY KEY (`userid`) )
ENGINE = InnoDB;
-- -----------------------------------------------------
-- Table `jdbcrealm`.`group`
-- -----------------------------------------------------
DROP TABLE IF EXISTS `jdbcrealm`.`group` ;
CREATE TABLE IF NOT EXISTS `jdbcrealm`.`group` (
`groupid` VARCHAR(30) NOT NULL ,
`userid` VARCHAR(30) NOT NULL ,
INDEX `fk_group_user1` (`userid` ASC) ,
CONSTRAINT `fk_group_user1`
FOREIGN KEY (`userid` )
REFERENCES `jdbcrealm`.`user` (`userid` )
ON DELETE NO ACTION
ON UPDATE NO ACTION)
ENGINE = InnoDB;
出现同样的错误。我还试图以一种方式将主键放在组表中的列groupid上,但我从问题的角度来看没有任何变化。有趣的是,我尝试对1个用户名,pwds,组所在的表进行同样的操作并且出现相同的错误。
The same error emerges. I attempted also in a way that I put a primary key on the column groupid in the group table but I experienced no change from point of view of the question. It is also interesting that I tried to do the same with 1 table in which usernames, pwds, groups are located and the same error comes.
寻求解决方案和解决方案
Matt的评论帮助了很多,感谢这篇精彩的帖子。总而言之,在我撰写与基于数据库的身份验证相关的问题之初,很明显无法加载用户组。这是由server.log中的错误消息指示的。
The comments from Matt helped a lot, thanks for this great posts. In summary, at the beginning when I wrote the question relating the DB-based authentication, it was clear that the user groups cannot be loaded. This was indicated by the error message in the server.log.
然而,我的怀疑转向表格及其列名之间的链接。然而,在简化了用户组实体的数据模型之后,我无法解释为什么即使使用包含user,pwd和group的简单表也无法工作。我继续朝着这个方向进行调查。我假设列名也可以影响这一点。当我应用Matt的配置时,无法加载组消息从server.log中消失,但这种现象保持不变。因此我假设这些组已经可以加载但是也存在不同的问题。然后我接受了Matt的配置并开始逐步更改列名称以接近原始配置,但是无法加载组消息未出现在日志中。当我使用我的原始设置重现案例并且日志消息不存在时,我知道它已经以某种方式被关闭的日志记录出了问题。所以我开始调查整个配置。
However, my suspicion turned towards the links between the tables and their column names. Nevertheless, after simplifying the data model for user-group entities, I could not explain why it did not work even with a simple table containing user, pwd and group. I continued the investigation in this direction. I assumed that also column names can influence this. When I applied Matt's configuration the "cannot load groups" message disappeared from the server.log but the phenomenon remained the same. Therefore I assumed that the groups could already be loaded but there was also a different problem. I took then Matt's config and started to change the column names back step-by-step to approach the original config but the "cannot load groups" message did not appear in the log. When I reproduced the case with my original settings and the log message was not there, I knew that something is wrong with the logging it had somehow been switched off. So I started investigating the whole configuration.
当我查看已部署的应用程序时,我选择了部署描述符并将它们加载到glassfish控制台上。 web.xml很好,它有我写的相同内容,但 glassfish-web.xml有一个完全不同的内容!它的生成好像我没有glassfish-web.xml。然后我注意到我的glassfish-web.xml没有放在WEB-INF目录中。我把它移到那里并做了一个全部清理,构建并部署了应用程序。之后我回到了db视图,它代表了多对多关系中TBLUSERS和TBLGROUPS之间的数据。我最喜欢这个解决方案,因为它从数据的角度展示了最清晰的图片。我在领域配置页面上设置了适当的列。我用两个用户tamas和arpi测试了它。 tamas已添加到用户和管理员组,同时arpi已添加到用户组。角色和用户组之间的映射位于glassfish-web.xml中。访问权限授予用户和管理资源的tamas,而arpi仅访问用户资源。
When I had a look to the deployed application, I selected the deployment descriptors and loaded them over the glassfish console. web.xml was all right it had the same content I wrote but glassfish-web.xml had a completely different content! It was generated as if I had had no glassfish-web.xml. Then I noticed that my glassfish-web.xml was not placed in the WEB-INF directory. I moved it there and made a "clean all, build" and deployed the application. Afterwards I came back to the db view which represents the data between TBLUSERS and TBLGROUPS in a many-to-many relationship. I like this solution the most as it shows the clearest picture from the point of view of the data. I set the appropriate columns on the realm config page. I tested it with two users "tamas" and "arpi". "tamas" was added to the user and admin groups meanwhile "arpi" was added to the user group. The mapping between the roles and the user groups is in the glassfish-web.xml. Access was given to "tamas" to both user and admin resources while "arpi" received access only to the user resources.
感谢您的帮助。 Tamas
Thank you for the help. Tamas
推荐答案
从第一眼看,我会发现你的表名列。
From the first glance I would spot on your table column names.
根据我自己的经验,我记得用户表中的用户列需要与 USER_GROUPS中的用户列完全相同/ code>表。匹配由列名完成。
From my own experience I memorized that the user column in the user table needs to have exactly the same name as the user column in the USER_GROUPS table. The matching is done by column names.
因此您的 USER_GROUPS 表需要一列 USERNAME 与 TBLUSERS 表中的用户名匹配。
So your USER_GROUPS table needs a column USERNAME that matches the user names from the TBLUSERS table.
请注意,您必须为此更改你的表格关系。
Note that you have to change your table relations for this.
可能有十几个其他原因,但你可以尝试一下。
There can be a dozen of other reasons but you can give it a try.
这是我的本地配置:
CREATE TABLE `user` (
`LOGIN` varchar(32) NOT NULL,
`password` varchar(256) DEFAULT NULL,
PRIMARY KEY (`LOGIN`)
)
CREATE TABLE `group` (
`IDGROUP` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(45) DEFAULT NULL,
PRIMARY KEY (`IDGROUP`)
)
CREATE TABLE `group_has_user` (
`IDGROUP` int(11) NOT NULL,
`LOGIN` varchar(32) NOT NULL,
PRIMARY KEY (`IDGROUP`,`LOGIN`),
KEY `fk_group_has_user_user1` (`LOGIN`),
CONSTRAINT `fk_group_has_user_user1` FOREIGN KEY (`LOGIN`)
REFERENCES `user` (`LOGIN`)
ON DELETE NO ACTION ON UPDATE NO ACTION,
CONSTRAINT `fk_group_has_user_group1` FOREIGN KEY (`IDGROUP`)
REFERENCES `group` (`IDGROUP`)
ON DELETE NO ACTION ON UPDATE NO ACTION
)
在GF管理控制台中使用以下设置:
with the following settings in GF admin console:
这是我从sun-web.xml(现在是glassfish-web.xml)的安全角色映射):
Here is my security-role mapping from sun-web.xml (now glassfish-web.xml):
<security-role-mapping>
<role-name>user</role-name>
<group-name>1</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>sponsor</role-name>
<group-name>2</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>admin</role-name>
<group-name>3</group-name>
</security-role-mapping>
我已经在login-config下面的web.xml中定义了以下安全角色:
And I have defined the following security-roles in web.xml directly below login-config:
<security-role>
<description/>
<role-name>user</role-name>
</security-role>
<security-role>
<description/>
<role-name>sponsor</role-name>
</security-role>
<security-role>
<description/>
<role-name>admin</role-name>
</security-role>
这篇关于Java EE声明性安全性,无法为JDBC领域用户加载组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
