Java EE服务器独立安全性
[英]Java EE Server Independent Security
问题描述
I am currently in the process of writing a web app (a collection of RESTful web services) that has the potential to be deployed on multiple different application servers ( JBoss and WebSphere are two different containers we want to support out of the box initially). 
我目前正在编写一个Web应用程序(RESTful Web服务的集合),该应用程序有可能部署在多个不同的应用程序服务器上( JBoss和WebSphere是我们最初希望立即支持的两个不同的容器)。
Whenever I look online for security examples for JBoss , they reference JBoss specific authentication/authorization classes , which obviously wouldn't work on WebSphere. 每当我在网上寻找JBoss安全性示例时,它们都会引用JBoss特定的身份验证/授权类 ,这显然在WebSphere上不起作用。
Is there a good way (either a Java EE standard or a 3rd party framework) to handle security in a container independent manner? 是否存在以容器独立方式处理安全性的好方法( Java EE标准或第三方框架)?
I was originally planning on having the container handle authentication then authentication would be handled with custom code on each of the REST methods. 我最初计划让容器处理身份验证,然后使用每种REST方法上的自定义代码来处理身份验证。 However, after setting up basic authentication in my web.xml , JBoss seems to be doing some sort authorization on its own and gives me a 403 after a successful log in. In WebSphere, I am able to define an "All Authenticated" role that will authorize all authenticated users, but I am not sure how to do the equivalent in JBoss (and in a container independent method). 但是,在我的web.xml设置了基本身份验证之后, JBoss似乎自己进行了某种授权,并且成功登录后给了我403。在WebSphere中,我可以定义一个“所有已身份验证”角色将授权所有经过身份验证的用户,但是我不确定如何在JBoss(以及与容器无关的方法)中进行等效操作。
Here is my web.xml: 这是我的web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>identify-service-web</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ApplicationRealm</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ApplicationRealm</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
I am a Java EE security newbie, so please excuse the fact that I might have missed something extremely obvious. 我是Java EE安全新手,所以请原谅我可能错过了非常明显的内容。 Hope someone can push me in the right direction! 希望有人可以把我推向正确的方向!
3 个解决方案
解决方案1
2 已采纳 2014-06-08 06:20:56
By using the security-constraint in the web.xml you define authorization for the applicaiton. 通过使用web.xml的security-constraint ,可以定义应用程序的授权。 So your configuration means: Only authenticated users with the assigned role ApplicationRealm have access to this application. 因此,您的配置意味着: 只有具有分配的角色ApplicationRealm的经过身份验证的用户才能访问此应用程序。
You can use a role-mapping in security-domain in the JBoss AS7.1 / EAP 6.x / WildFly. 您可以在JBoss AS7.1 / EAP 6.x / WildFly的安全域中使用角色映射。 For instance use CLI commands: 例如,使用CLI命令:
/subsystem=security/security-domain=other/mapping=classic:add
/subsystem=security/security-domain=other/mapping=classic/mapping-module=mapRoleToAllUsers:add(code="org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider", type="role", module-options=[("dsJndiName"=>"java:jboss/datasources/ExampleDS"), ("rolesQuery"=>"SELECT 'ApplicationRealm' FROM Dual WHERE ?!=''")])
reload
which result in following configuration in the standalone.xml : 这导致在standalone.xml中进行以下配置:
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
<mapping>
<mapping-module name="mapRoleToAllUsers" code="org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider" type="role">
<module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/>
<module-option name="rolesQuery" value="SELECT 'ApplicationRealm' FROM Dual WHERE ?!=''"/>
</mapping-module>
</mapping>
</security-domain>
Then all authenticated users get the ApllicationRealm role automatically. 然后,所有经过身份验证的用户都将自动获得ApllicationRealm角色。
I strongly recommend to use jboss-web.xml to define security domain for your application, even if the default one is used: 我强烈建议使用jboss-web.xml为您的应用程序定义安全域,即使使用默认域也是如此:
<jboss-web>
<security-domain>other</security-domain>
</jboss-web>
There is currently an issue , which causes the roles are not mapped correctly when the jboss-web.xml is omitted. 当前存在一个问题 ,这会导致在省略jboss-web.xml时无法正确映射角色。
解决方案2
1 2014-06-08 21:18:39
Just as kwart wrote, security settings defined in web.xml or by standard security annotations must be implemented by all containers, so its safe and portable to use them. 就像kwart所写的那样,必须在所有容器中实施web.xml或标准安全注释中定义的安全设置,因此使用它们安全且可移植。
What is server specific, is how user to security role mapping is defined, what can be a user registry (eg ldap, file, database, custom), and additional authentication mechanisms supported by contaier (eg Kerberos, SAML, custom). 服务器特定的是定义用户到安全角色映射的方式,可以是用户注册表(例如ldap,文件,数据库,自定义),以及contaier支持的其他身份验证机制(例如Kerberos,SAML,自定义)。
For general information on Java EE security, you can check Securing a Web application chapter in WebSphere Application Server V7.0 Security Guide (although saying about Java EE 5, most information is still valid in the latest release). 有关Java EE安全性的一般信息,您可以查看WebSphere Application Server V7.0安全性指南中的“确保Web应用程序安全”一章(尽管说到Java EE 5,但大多数信息在最新版本中仍然有效)。
For example how to configure web.xml for JAX-RS application in WebSphere check this page : 例如,如何在WebSphere中为JAX-RS应用程序配置web.xml,请检查以下页面 :
解决方案3
0 2014-06-06 19:54:24
Maybe you can use spring-security as an common authentication mechanism... But in general mixing spring and Java EE is not a good idea. 也许您可以将spring-security用作常见的身份验证机制...但是通常,将spring和Java EE混合使用并不是一个好主意。
You can use the standard Java EE security framework, if you want to deploy your application in some containers you will need to provide specific configuration for each container, this shouldn't be a problem because that configurations will not be too long and each container should ignore the specific configuration of other containers. 您可以使用标准的Java EE安全框架,如果要将应用程序部署在某些容器中,则需要为每个容器提供特定的配置,这应该不是问题,因为配置不会太长,每个容器都应该忽略其他容器的特定配置。
If you jboss gives you a 403 error even in a sucessful login sounds like a misconfiguration. 如果jboss给您403错误,即使登录成功也听起来像是配置错误。 Have you checked the security domain in WEB-INF/jboss-web.xml? 您是否在WEB-INF / jboss-web.xml中检查了安全域? In jboss if you doesn't define any auth-constraint in the security-constraint it will accept any user. 在jboss中,如果您未在security-constraint中定义任何auth-constraint,它将接受任何用户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.