简单TAI (TrustAssociationInterceptor)，Websphere AS

Question

尝试简单地实现TAI。创建了TAI类，不使用UserRegistry为每个用户设置登录"user1“和”用户组“列表。在我的ear文件中添加了角色-组映射("user-group"=>"user-role")。为我的war增加了安全约束:允许角色为"user role“的用户访问资源。尝试访问页面后出现403错误：

[11.05.15 19:43:27:444 MSK] 0000007c WebCollaborat A   SECJ0129E: ... user2:defaultWIMFileBasedRealm ... default_host:/war/page.html, Authorization failed, Not granted any of the required roles: user-role 

我做错了什么？使用的是8.5.5。

我的TAI实现：

package ru.test.tai;

// imports

public class SimpleTAI implements TrustAssociationInterceptor {
    public SimpleTAI() {
        super();
    }

    public boolean isTargetInterceptor(HttpServletRequest req)
            throws WebTrustAssociationException {
        System.out.println("isTargetInterceptor called");
        if (req.getRequestURI().matches(".*war.*")) {
            System.out.println("true");
            return true;
        } else {
            System.out.println("false");
            return false;
        }
    }

    public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest req,
            HttpServletResponse resp) throws WebTrustAssociationFailedException {

        String userid = "user2";
        String uniqueid = "user2";
        List<String> groups = new ArrayList<String>();
        groups.add("user-group");
        String key = "user1Key";
        Subject subject = createSubject(userid, uniqueid, groups, key);
        return TAIResult.create(HttpServletResponse.SC_OK, "notused", subject);
    }

    public int initialize(Properties arg0)
            throws WebTrustAssociationFailedException {
        return 0;
    }

    public String getVersion() {
        return "1.0";
    }

    public String getType() {
        return this.getClass().getName();
    }

    public void cleanup() {
    }

    private Subject createSubject(String userid, String uniqueid, List groups,
            String key) {
        Subject subject = new Subject();
        Hashtable hashtable = new Hashtable();
        hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, uniqueid);
        hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME, userid);
        hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups);
        System.out.println("Subject cache key is " + key);
        hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, key);
        subject.getPublicCredentials().add(hashtable);

        return subject;
    }
}

ibm-application-bnd.xml：

<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
         http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
    version="1.0">

    <security-role name="user-role">
        <group name="user-group" />
    </security-role>
</application-bnd>

Answer 1

如果您使用的是注册表中不存在的组，则必须在ibm-application-bnd.xml中像这样添加access-id (示例显示用户、组)：

<security-role name="user-role">
   <user name="test" access-id="user:defaultWIMFileBasedRealm/test"/>
   <group name="user-group" access-id="group:defaultWIMFileBasedRealm/user-group"/>
</security-role>

Realm应该与您当前配置的用户注册表匹配。