在Weblogic上配置EJB安全性
[英]Configuring EJB security on Weblogic
问题描述
I'm trying to understand how the EJB security works on a WebLogic server. 
我试图了解EJB安全性如何在WebLogic服务器上工作。
I have an EJB with following configuration in ejb-jar.xml 我在ejb-jar.xml中具有以下配置的EJB
<session>
<ejb-name>BeanA</ejb-name>
....
<security-identity>
<run-as>
<role-name>beanA_users</role-name>
</run-as>
</security-identity>
</session>
<assembly-descriptor>
<security-role>
<role-name>beanA_users</role-name>
</security-role>
<container-transaction>
<method>
<ejb-name>BeanA</ejb-name>
<method-name>*</method-name>
</method>
</container-transaction>
</assembly-descriptor>
and in weblogic-ejb-jar.xml: 并在weblogic-ejb-jar.xml中:
<security-role-assignment>
<role-name>beanA_users</role-name>
<principal-name>runas_a</principal-name>
</security-role-assignment>
<run-as-role-assignment>
<role-name>beanA_users</role-name>
<run-as-principal-name>runas_a</run-as-principal-name>
</run-as-role-assignment>
I interpret it like this: BeanA runs as beanA_users. 我这样解释:BeanA作为beanA_users运行。 "runas_a" is one of beanA_users. “ runas_a”是beanA_users之一。 Therefore, BeanA runs as runas_a user. 因此,BeanA以runas_a用户身份运行。 Also, all users that are in the beanA_users role are permitted to call all the BeanA methods. 另外,所有具有beanA_users角色的用户都可以调用所有BeanA方法。 In other words, Bean_A is running as runas_a, and only runas_a can call its methods. 换句话说,Bean_A作为runas_a运行,并且只有runas_a可以调用其方法。 Is this correct? 这个对吗?
However, when I call this EJB from another EJB that has the below configuration I'm able to get through. 但是,当我从具有以下配置的另一个EJB调用此EJB时,我可以通过。 Shouldn't Bean A configure a permission for the principal assigned to BeanB_users role in the BeanB? Bean A不应为BeanB中分配给BeanB_users角色的主体配置权限吗?
ejb-jar.xml: ejb-jar.xml中:
<session>
<ejb-name>BeanB</ejb-name>
...
<security-identity>
<run-as>
<role-name>beanB_users</role-name>
</run-as>
</security-identity>
</session>
weblogic-ejb-jar.xml: 的weblogic-ejb-jar.xml中:
<run-as-role-assignment>
<role-name>beanB_users</role-name>
<run-as-principal-name>runas_b</run-as-principal-name>
</run-as-role-assignment>
Edit: 编辑:
After reading the ejb-jar.xml schema it looks like the Bean A in this example does not define any permissions in the <assembly-descriptor> element. 读取ejb-jar.xml模式后,此示例中的Bean A看起来没有在<assembly-descriptor>元素中定义任何权限。 It only defines the security role. 它仅定义安全角色。 I presume this is why any EJB can call its methods. 我认为这就是为什么任何EJB都可以调用其方法的原因。 But why does it define a security role assignment in that case? 但是,为什么要在这种情况下定义安全角色分配呢? For instance, if BeanA had the following within the element, would it in that case block BeanB from getting through since the permission does not include the runas_b principal? 例如,如果BeanA在元素中包含以下内容,那么在这种情况下,由于权限不包括runas_b主体,是否会阻止BeanB通过?
<method-permission>
<role-name>beanA_users</role-name>
<method>
<ejb-name>BeanA</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
1 个解决方案
解决方案1
1 2017-09-25 01:23:37
You have the wrong end of the stick here. 您在这里遇到了错误的情况。
When you add: 添加时:
<security-identity>
<run-as>
<role-name>beanA_users</role-name>
</run-as>
</security-identity>
to a bean definition, this tells WebLogic what role should be applied to any invocations on that bean that it instigates itself, rather than what a user instigates. 根据bean的定义,它告诉WebLogic应将什么角色应用于它自己发起的该bean的任何调用,而不是用户提出的角色。
ie this security identity would be applied to EJB timer methods and the onMessage method of an MDB (and if I recall correctly, some housekeeping operations). 即,此安全身份将应用于EJB计时器方法和MDB的onMessage方法(如果我没记错的话,可以执行一些内部操作)。
The WebLogic extension with the <run-as-role-assignment>...</run-as-role-assignment> element adds a defined principal to these method calls so that javax.ejb.EJBContext.getCallerPrincipal() returns something other than anonymous during one of these method calls. 带有<run-as-role-assignment>...</run-as-role-assignment>元素的WebLogic扩展为这些方法调用添加了定义的主体,以便javax.ejb.EJBContext.getCallerPrincipal()返回其他内容。在其中一个方法调用期间比anonymous 。
In all other cases this security information is normally propagated from the identity of the logged in user of a web application. 在所有其他情况下,通常从Web应用程序登录用户的身份传播此安全信息。
Typically a user will be authenticated via their servlet based web application which is wired up to a security domain provided by the application server. 通常,将通过基于Servlet的Web应用程序对用户进行身份验证,该Web应用程序连接到应用程序服务器提供的安全域。 The servlet container will then associate incoming HTTP requests with a user principal. 然后,Servlet容器将传入的HTTP请求与用户主体相关联。 That user principal must be associated with one or more "roles" before role based access can be performed (which is done in a vendor dependent way, but often associated with JAAS). 该用户主体必须与一个或多个“角色”相关联,然后才能执行基于角色的访问(此操作以与供应商相关的方式完成,但通常与JAAS相关联)。 If the user has no roles the container will reject any attempt to invoke servlets or downstream EJBs that have been protected by security role declarations in the deployment descriptors or associated @javax.annotation.security.RolesAllowed annotations. 如果用户没有角色,则容器将拒绝任何尝试调用已由部署描述符或关联的@ javax.annotation.security.RolesAllowed注释中的安全角色声明保护的servlet或下游EJB的尝试。 The security context established by the servlet container is propagated through the subsequent chain of EJB calls until it either returns successfully or blocked by a security role. servlet容器建立的安全上下文将通过后续的EJB调用链传播,直到它成功返回或被安全角色阻止为止。
For more information please refer to the "Security" chapters of the Servlet Specification and the EJB Specification. 有关更多信息,请参考Servlet规范和EJB规范的“安全性”章节。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.