我正在使用GlassFish服务器4.0,我已将不同的权限/角色分配给不同的用户。如何让每个用户根据其在JAAS中的权限/角色在特定位置访问资源?
用户可能拥有多个权限/角色。例如,管理员用户可能与ROLE_ADMIN
(执行管理任务)和ROLE_USER
(作为注册用户执行任务)相关联。
在我的web.xml
中,配置如下。
<security-constraint>
<display-name>AdminConstraint</display-name>
<web-resource-collection>
<web-resource-name>ROLE_ADMIN</web-resource-name>
<description/>
<url-pattern>/admin_side/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ROLE_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>UserConstraint</display-name>
<web-resource-collection>
<web-resource-name>ROLE_USER</web-resource-name>
<description/>
<url-pattern>/user_side/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ROLE_USER</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!--<auth-method>DIGEST</auth-method>-->
<auth-method>FORM</auth-method>
<realm-name>projectRealm</realm-name>
<form-login-config>
<form-login-page>/utility/Login.jsf</form-login-page>
<form-error-page>/utility/ErrorPage.jsf</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>ROLE_ADMIN</role-name>
</security-role>
<security-role>
<description/>
<role-name>ROLE_USER</role-name>
</security-role>
这工作得很好。
有两个URL模式/admin_side/*
和/user_side/*
。管理员有两个角色ROLE_ADMIN
和ROLE_USER
。
当管理员使用权限ROLE_USER
登录时,只有位于/user_side/*
中的资源应该被访问。位于/admin_side/*
的资源应该被禁止访问,因为管理员以注册用户身份登录,而不是以管理员身份登录。
到现在为止我的情况是,当管理员使用任何权限登录时,两个位置的资源都可以被访问,这是完全非法的。这是因为系统能够为该特定用户找到两个权威机构。
如何让每个用户根据其权限/角色访问特定位置的资源?
认证过滤器:
@WebFilter(filterName = "SecurityCheck", urlPatterns = {"/jass/*"})
public final class SecurityCheck implements Filter
{
private FilterConfig filterConfig = null;
@Resource(mappedName="jms/destinationFactory")
private ConnectionFactory connectionFactory;
@Resource(mappedName="jms/destination")
private Queue queue;
@EJB
private final UserBeanLocal userService=null;
public SecurityCheck() {}
private void sendJMSMessageToDestination(String message) throws JMSException
{
Connection connection = null;
Session session = null;
try
{
connection = connectionFactory.createConnection();
session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
MessageProducer messageProducer = session.createProducer(queue);
TextMessage textMessage = session.createTextMessage();
textMessage.setText(message);
messageProducer.send(textMessage);
}
finally
{
if(session!=null){session.close();}
if(connection!=null){connection.close();}
}
}
private void doBeforeProcessing(ServletRequest request, ServletResponse response) throws IOException, ServletException
{
HttpServletRequest httpServletRequest=(HttpServletRequest)request;
httpServletRequest.login(httpServletRequest.getParameter("userName"), httpServletRequest.getParameter("password"));
}
private void doAfterProcessing(ServletRequest request, ServletResponse response) throws IOException, ServletException, JMSException
{
HttpServletRequest httpServletRequest=(HttpServletRequest)request;
HttpServletResponse httpServletResponse=(HttpServletResponse)response;
ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
Map<String, Object> sessionMap = externalContext.getSessionMap();
if(httpServletRequest.isUserInRole("ROLE_USER"))
{
sendJMSMessageToDestination(httpServletRequest.getLocalName());
UserTable userTable = userService.setLastLogin(httpServletRequest.getParameter("userName"));
userTable.setPassword(null);
sessionMap.put("userName", userTable!=null?userTable.getFirstName():"Unknown");
sessionMap.put("user", userTable);
httpServletResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
httpServletResponse.setHeader("Pragma", "no-cache");
httpServletResponse.setDateHeader("Expires", 0);
httpServletResponse.sendRedirect("../user_side/Home.jsf");
}
else if(httpServletRequest.isUserInRole("ROLE_ADMIN"))
{
sendJMSMessageToDestination(httpServletRequest.getLocalName());
UserTable userTable = userService.setLastLogin(httpServletRequest.getParameter("userName"));
userTable.setPassword(null);
sessionMap.put("adminName", userTable!=null?userTable.getFirstName():"Unknown");
sessionMap.put("user", userTable);
httpServletResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
httpServletResponse.setHeader("Pragma", "no-cache");
httpServletResponse.setDateHeader("Expires", 0);
httpServletResponse.sendRedirect("../admin_side/Home.jsf");
}
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
{
try
{
doBeforeProcessing(request, response);
}
catch (Exception e)
{
HttpServletResponse httpServletResponse=(HttpServletResponse)response;
//FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, "Error", "Incorrect user name and/or password. Access denied."));
httpServletResponse.sendRedirect("../utility/Login.jsf");
return;
}
chain.doFilter(request, response);
try
{
doAfterProcessing(request, response);
}
catch (JMSException ex)
{
Logger.getLogger(SecurityCheck.class.getName()).log(Level.SEVERE, null, ex);
}
}
//The rest of the filter.
}
如果你需要看其他的东西在我的应用程序的话,请让我知道。
你到底是如何以注册用户身份登录管理员的?如果一个特定的用户有多个角色,那么实际上没有办法只使用其中的一个登录。所以整个问题很混乱。 – BalusC
这是一个验证用户身份的过滤器。过滤器映射到URL模式 - '/ jass/*'(错误地键入,应该是'/ jaas/*')。它指示一个目录,其中只有一个页面 - 调用JSF页面上的登录按钮时(通过其相应的JSF托管bean)调度请求的'temp.jsp'。有没有办法一次作为管理员登录和一次使用相同的ID /密码的用户登录?我也觉得如此,但认为容器可能支持一些机制来做到这一点。我看了一些教程,但一无所知。 – Tiny