[英]Preventing anonymous access to remote EJB access in WebLogic 12c
I have a WAR containing EJB deployed in WebLogic 12c. 我有一个包含在WebLogic 12c中部署的EJB的WAR。 I find that I can access EJB from a standalone client with no username/password specified in my InitialContext.
我发现我可以从没有在InitialContext中指定用户名/密码的独立客户端访问EJB。 Is there a way to prevent anonymous access to all EJB in a WAR?
有没有一种方法可以防止匿名访问WAR中的所有EJB?
What puzzles me is that I need to provide the correct username/password to authenticate (a wrong password will fail authentication). 让我感到困惑的是,我需要提供正确的用户名/密码进行身份验证(错误的密码将使身份验证失败)。 But I can omit the username/password (in my InitialContext properties) and it lets me access the EJB.
但是我可以省略用户名/密码(在我的InitialContext属性中),它可以让我访问EJB。
So I looking to configure Weblogic so that it always requires a username/password to access any EJB. 因此,我希望对Weblogic进行配置,使其始终需要用户名/密码来访问任何EJB。 And if I omit the username/password it should not let me access my EJB.
而且,如果我省略用户名/密码,则不应让我访问我的EJB。
I am looking for container support for this security rather than try to implement something on my own. 我正在寻找为此安全性提供容器支持,而不是尝试自己实现某些功能。
You could define a default interceptor and do some role checking there. 您可以定义一个默认的拦截器并在那里进行一些角色检查。
The interceptor would be something like this: 拦截器将是这样的:
public class LoginCheckInterceptor {
@Resource
private EJBContext ejbContext;
@AroundInvoke
public Object checkLogin(final InvocationContext context) throws Exception {
if (userAuthenticated()) {
return context.proceed();
} else {
throw new SecurityException("User not authorized");
}
}
private boolean userAuthenticated() {
// do role checking as needed
// use this.ejbContext.isCallerInRole(...)
// or this.ejbContext.getCallerPrincipal()
}
}
To make it work as a default interceptor (for all EJBs), customize deployment descriptor ejb-jar.xml : 要使其用作默认的拦截器(对于所有EJB),请定制部署描述符ejb-jar.xml :
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar>
<interceptors>
<interceptor>
<interceptor-class>your.package.LoginCheckInterceptor</interceptor-class>
</interceptor>
</interceptors>
<assembly-descriptor>
<interceptor-binding>
<ejb-name>*</ejb-name>
<interceptor-class>your.package.LoginCheckInterceptor</interceptor-class>
</interceptor-binding>
</assembly-descriptor>
</ejb-jar>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.