雅加达EE 8安全>野蝇26 -角色未设置
雅加达EE 8安全>野蝇26 -角色未设置
提问于 2022-04-14 11:32:17
我试图使用Jakarta 8 Security设置一个简单的JSF登录,我已经将登录页面实现为一个自定义表单,如下所示:
@ApplicationScoped
@CustomFormAuthenticationMechanismDefinition(
loginToContinue = @LoginToContinue(
loginPage = "/user-login.xhtml",
useForwardToLogin = false,
errorPage = ""
)
)
@FacesConfig(version = FacesConfig.Version.JSF_2_3)
public class UserLoginConfig{
}用户区域使用以下servlet进行保护,并定义了单个角色“user”:
@WebServlet("/user/*")
@DeclareRoles({"user"})
@ServletSecurity(@HttpConstraint(rolesAllowed = "user"))
public class UserLoginServlet extends HttpServlet {
/**
*
*/
private static final long serialVersionUID = 1L;
}简单的JSF表单提交给LoginBacking bean
@Named
@ViewScoped
public class LoginBean implements Serializable {
/**
*
*/
private static final long serialVersionUID = 1L;
private String password;
private String email;
@Inject private SecurityContext securityContext;
@Inject private Logger log;
public void login() throws IOException {
ExternalContext externalContext = Faces.getExternalContext();
AuthenticationStatus status = securityContext.authenticate(
(HttpServletRequest) externalContext.getRequest(),
(HttpServletResponse) externalContext.getResponse(),
AuthenticationParameters.withParams()
.credential(new UsernamePasswordCredential(email, password))
);
switch (status) {
case SEND_CONTINUE:
Faces.getContext().responseComplete();
break;
case SEND_FAILURE:
Faces.getContext().addMessage(null,
new FacesMessage(FacesMessage.SEVERITY_ERROR, "Login failed", null));
break;
case SUCCESS:
Faces.getContext().addMessage(null,
new FacesMessage(FacesMessage.SEVERITY_INFO, "Login succeed", null));
externalContext.redirect(externalContext.getRequestContextPath() + "/user/home.xhtml");
break;
case NOT_DONE:
}
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getEmail() {
return email;
}
public void setEmail(String email) {
this.email = email;
}
}支持bean触发在自定义ItentityStore中实现的身份验证方法。
@ApplicationScoped
public class MyIdentityStore implements IdentityStore {
@Inject private UserDAOQueries userDAOQueries;
@Inject private PasswordEncryptorEntities passwordEncryptor;
@Override
public int priority() {
return 90;
}
@Override
public Set<ValidationType> validationTypes() {
return EnumSet.of(ValidationType.VALIDATE);
}
@Override
public CredentialValidationResult validate(Credential credential) {
UsernamePasswordCredential login = (UsernamePasswordCredential) credential;
User user = userDAOQueries.findNonDeletedByEmail(login.getCaller());
if (user!=null) {
if(passwordEncryptor.isPasswordCorrect(login.getPasswordAsString(), user.getPassword())){
Set<String> roles = new HashSet<String>();
roles.add("user");
return new CredentialValidationResult(login.getCaller(), roles);
}else {
return CredentialValidationResult.INVALID_RESULT;
}
} else {
return CredentialValidationResult.NOT_VALIDATED_RESULT;
}
}
@Override
public Set<String> getCallerGroups(CredentialValidationResult validationResult) {
Set<String> roles = new HashSet<String>();
if(validationResult.getStatus().equals(Status.VALID)) {
roles.add("user");
}
return roles;
}
}这一切正常,用户被成功地转发到/ user / from . works页面,但是我从服务器得到了403个禁止的响应。查看org.wildfly.security跟踪,我可以看到在身份验证之后“用户”角色没有传递给容器(或者它们没有被正确地映射)。
11:47:16,055 TRACE [org.wildfly.security] (default task-4) Handling CallerPrincipalCallback
11:47:16,055 TRACE [org.wildfly.security] (default task-4) Original Principal = 'javax.security.enterprise.CallerPrincipal@317242d5', Caller Name = 'null', Resulting Principal = 'javax.security.enterprise.CallerPrincipal@317242d5'
11:47:16,056 TRACE [org.wildfly.security] (default task-4) Role mapping: principal [javax.security.enterprise.CallerPrincipal@317242d5] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
11:47:16,057 INFO [io.undertow.accesslog] (default task-4) [14/Apr/2022:11:47:16 +0100] "POST /user-login.xhtml HTTP/1.1" 302 - - https HTTP/1.1
11:47:16,057 TRACE [org.wildfly.security.http.servlet] (default task-4) ServerAuthContext.validateRequest returned AuthStatus=AuthStatus.SEND_CONTINUE
11:47:16,065 TRACE [org.wildfly.security.http.servlet] (default task-4) Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=false, applicationContext=my-webapp
11:47:16,065 TRACE [org.wildfly.security] (default task-4) Handling CallerPrincipalCallback
11:47:16,065 TRACE [org.wildfly.security] (default task-4) Original Principal = 'javax.security.enterprise.CallerPrincipal@317242d5', Caller Name = 'null', Resulting Principal = 'javax.security.enterprise.CallerPrincipal@317242d5'
11:47:16,066 TRACE [org.wildfly.security] (default task-4) Role mapping: principal [javax.security.enterprise.CallerPrincipal@317242d5] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
11:47:16,066 TRACE [org.wildfly.security.http.servlet] (default task-4) ServerAuthContext.validateRequest returned AuthStatus=AuthStatus.SUCCESS
11:47:16,066 TRACE [org.wildfly.security] (default task-4) No roles request of CallbackHandler.
11:47:16,066 TRACE [org.wildfly.security.http.servlet] (default task-4) Storing SecurityIdentity in HttpSession
11:47:16,066 TRACE [org.wildfly.security] (default task-4) Role mapping: principal [javax.security.enterprise.CallerPrincipal@317242d5] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
11:47:16,068 TRACE [org.wildfly.security] (default task-4) Role mapping: principal [javax.security.enterprise.CallerPrincipal@317242d5] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
11:47:16,068 TRACE [org.wildfly.security] (default task-4) Permission mapping: identity [javax.security.enterprise.CallerPrincipal@317242d5] with roles [] implies ("javax.security.jacc.WebResourcePermission" "/user/home.xhtml" "GET") = false
11:47:16,069 INFO [io.undertow.accesslog] (default task-4) [14/Apr/2022:11:47:16 +0100] "GET /user/home.xhtml HTTP/1.1" 403 68 - https HTTP/1.1我怀疑我在elytron子系统中缺少一些配置,我在jboss-web.xml中定义了一个自定义安全域jboss-web.xml。
在下面的配置中,我有一个应用程序安全域定义为:
<application-security-domain name="other" security-domain="ApplicationDomain" enable-jaspi="true" integrated-jaspi="false"/>在Elytron中,我将ApplicationDomain配置如下:
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
<realm name="local"/>
</security-domain>使用默认权限映射器,如下所示:
<simple-permission-mapper name="default-permission-mapper">
<permission-mapping>
<role name="user"/>
<permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
</permission-mapping>
</simple-permission-mapper>我也尝试过使用from-roles-attribute角色解码器,但这似乎行不通。
实际上,我只是想告诉Wildfly用户已经登录并分配了“x”角色.
回答 2
Stack Overflow用户
回答已采纳
发布于 2022-04-20 15:55:29
好的,如果有人在寻找答案,如果您使用的是带有自定义@CustomFormAuthenticationMechanismDefinition的自定义IdentityStore,则需要实现两个IdentityStore,一个覆盖验证方法(如我前面所示的方法),另一个通过重写getCallerGroups方法和设置ValidationType.PROVIDE_GROUPS....then来分配角色/组--角色被分配给主体,这是很好的
更新:不需要2个标识存储,只是根本不覆盖ValidationType,两者都可以。
Stack Overflow用户
发布于 2022-04-15 22:09:30
也许您缺少EJB3子系统的配置,以便将安全域名映射到Elytron域?
/subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/71870956
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号