堆棧內存溢出
  簡體   English   中英

Jboss 7 Jaas模塊,成功登錄后將覆蓋角色

[英]Jboss 7 Jaas Module, Roles are overriden after successful login

 原文  2014-06-12 08:19:28       java/ jsf/ jboss/ jaas

問題描述

我正在嘗試在配置了JAAS安全模塊的JBoss 7.1.2上運行JSF應用程序。 基本上可以登錄,但是在成功完全驗證用戶並授予角色后,角色將再次被覆蓋,並且用戶沒有任何權限,並將被重定向到拒絕訪問的頁面。

也許我錯過了配置中的某些內容,但我真的不知道可能是什么錯誤

這是我的配置:

安全系統的standalone.xml配置: 

<subsystem xmlns="urn:jboss:domain:security:1.2">
        <security-domains>
            <security-domain name="MpsAdminRealm" cache-type="default">
                <authentication>
                    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                        <module-option name="dsJndiName" value="java:/datasources/iPadDSForAllApps"/>
                        <module-option name="principalsQuery" value="select password from ADMIN_ACCOUNT where username=?"/>
                        <module-option name="rolesQuery" value="SELECT ADMIN_PERMISSION.NAME, 'ROLES' FROM ADMIN_PERMISSION INNER JOIN ROLE_PERMISSION ON ADMIN_PERMISSION.ID = ROLE_PERMISSION.ID_PERMISSION INNER JOIN ADMIN_ROLE ON ROLE_PERMISSION.ID_ROLE = ADMIN_ROLE.ID INNER JOIN ACCOUNT_ROLE ON ADMIN_ROLE.ID = ACCOUNT_ROLE.ID_ROLE INNER JOIN ADMIN_ACCOUNT ON ACCOUNT_ROLE.ID_ACCOUNT = ADMIN_ACCOUNT.ID WHERE ADMIN_ACCOUNT.USERNAME = ?"/>
                    </login-module>
                </authentication>
            </security-domain>
            <security-domain name="jboss-web-policy" cache-type="default">
                <authorization>
                    <policy-module code="Delegating" flag="required"/>
                </authorization>
            </security-domain>
            <security-domain name="jboss-ejb-policy" cache-type="default">
                <authorization>
                    <policy-module code="Delegating" flag="required"/>
                </authorization>
            </security-domain>
        </security-domains>
    </subsystem>

web.xml 

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
      http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
    <display-name>mps-admin</display-name>
    <context-param>
          <param-name>javax.faces.PROJECT_STAGE</param-name>
          <param-value>Development</param-value>
        </context-param>

       <session-config>
         <session-timeout>120</session-timeout>
       </session-config>

   <servlet>
         <servlet-name>Faces Servlet</servlet-name>
     <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
     <load-on-startup>1</load-on-startup>
   </servlet>
   <servlet-mapping>
     <servlet-name>Faces Servlet</servlet-name>
     <url-pattern>*.xhtml</url-pattern>
     <url-pattern>*.jsf</url-pattern>
     <url-pattern>/faces/*</url-pattern>
   </servlet-mapping>

   <security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted Area</web-resource-name>
        <url-pattern>/pages/protected/*</url-pattern>
    </web-resource-collection>

    <auth-constraint>
        <role-name>ADMIN_AREA</role-name>
        <role-name>USER_AREA</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<!-- Login page -->
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>MpsAdminRealm</realm-name>

    <form-login-config>
        <form-login-page>/pages/public/login.xhtml</form-login-page>
        <form-error-page>/pages/public/loginError.xhtml</form-error-page>
    </form-login-config>
</login-config>

<!-- System roles -->
<security-role >
    <role-name>ADMIN_AREA</role-name>
</security-role>
<security-role>
    <description>User Permission for the User Area of the Application</description>
    <role-name>USER_AREA</role-name>
</security-role>


    <error-page>
      <error-code>403</error-code>
      <location>/pages/public/access_denied.xhtml</location>
    </error-page>

   <welcome-file-list>
     <welcome-file>/pages/protected/user/startseite.xhtml</welcome-file>
   </welcome-file-list>
 </web-app>

我的jboss-web.xml 

<?xml version='1.0' encoding='UTF-8'?>

<jboss-web>
    <!-- URL to access the web module -->
    <context-root>/mps-admin</context-root>

    <!-- Realm that will be used -->
    <security-domain>java:/jaas/MpsAdminRealm</security-domain>
    <use-jboss-authorization>false</use-jboss-authorization>
</jboss-web>

最后,當我嘗試訪問保護區時,日志輸出: 

09:55:56,912 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) initialize
09:55:57,693 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Security domain: MpsAdminRealm
09:55:57,693 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) DatabaseServerLoginModule, dsJndiName=java:/datasources/iPadDSForAllApps
09:55:57,693 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) principalsQuery=select password from ADMIN_ACCOUNT where username=?
09:55:57,693 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) rolesQuery=SELECT ADMIN_PERMISSION.NAME, 'ROLES' FROM ADMIN_PERMISSION INNER JOIN ROLE_PERMISSION ON ADMIN_PERMISSION.ID = ROLE_PERMISSION.ID_PERMISSION INNER JOIN ADMIN_ROLE ON ROLE_PERMISSION.ID_ROLE = ADMIN_ROLE.ID INNER JOIN ACCOUNT_ROLE ON ADMIN_ROLE.ID = ACCOUNT_ROLE.ID_ROLE INNER JOIN ADMIN_ACCOUNT ON ACCOUNT_ROLE.ID_ACCOUNT = ADMIN_ACCOUNT.ID WHERE ADMIN_ACCOUNT.USERNAME = ?
09:55:57,693 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) suspendResume=true
09:55:57,694 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) login
09:55:57,718 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) suspendAnyTransaction
09:55:57,719 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost/127.0.0.1:8080-1) iPadDS: getConnection(null, WrappedConnectionRequestInfo@5ead5494[userName=ipadpdf]) [1/5]
09:55:57,720 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Excuting query: select password from ADMIN_ACCOUNT where username=?, with username: harald
09:55:57,772 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Obtained user password
09:55:57,773 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost/127.0.0.1:8080-1) iPadDS: returnConnection(48885a6e, false) [1/4]
09:55:57,773 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) resumeAnyTransaction
09:55:57,774 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) User 'harald' authenticated, loginOk=true
09:55:57,774 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) commit, loginOk=true
09:55:57,776 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) getRoleSets using rolesQuery: SELECT ADMIN_PERMISSION.NAME, 'ROLES' FROM ADMIN_PERMISSION INNER JOIN ROLE_PERMISSION ON ADMIN_PERMISSION.ID = ROLE_PERMISSION.ID_PERMISSION INNER JOIN ADMIN_ROLE ON ROLE_PERMISSION.ID_ROLE = ADMIN_ROLE.ID INNER JOIN ACCOUNT_ROLE ON ADMIN_ROLE.ID = ACCOUNT_ROLE.ID_ROLE INNER JOIN ADMIN_ACCOUNT ON ACCOUNT_ROLE.ID_ACCOUNT = ADMIN_ACCOUNT.ID WHERE ADMIN_ACCOUNT.USERNAME = ?, username: harald
09:55:57,779 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) suspendAnyTransaction
09:55:57,780 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost/127.0.0.1:8080-1) iPadDS: getConnection(null, WrappedConnectionRequestInfo@5ead5494[userName=ipadpdf]) [1/5]
09:55:57,780 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Excuting query: SELECT ADMIN_PERMISSION.NAME, 'ROLES' FROM ADMIN_PERMISSION INNER JOIN ROLE_PERMISSION ON ADMIN_PERMISSION.ID = ROLE_PERMISSION.ID_PERMISSION INNER JOIN ADMIN_ROLE ON ROLE_PERMISSION.ID_ROLE = ADMIN_ROLE.ID INNER JOIN ACCOUNT_ROLE ON ADMIN_ROLE.ID = ACCOUNT_ROLE.ID_ROLE INNER JOIN ADMIN_ACCOUNT ON ACCOUNT_ROLE.ID_ACCOUNT = ADMIN_ACCOUNT.ID WHERE ADMIN_ACCOUNT.USERNAME = ?, with username: harald
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role ACCOUNT_ADMINISTRATION
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role ADMIN_AREA
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role APA_ADMIN_AREA
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role CREATE_APPLICATION
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role ROLE_ADMINISTRATION
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role SYS_ADMIN_AREA
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role USER_AREA
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role USER_PROFILE
09:55:57,786 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) Assign user to role USER_SETTINGS
09:55:57,787 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (http-localhost/127.0.0.1:8080-1) iPadDS: returnConnection(48885a6e, false) [1/4]
09:55:57,787 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost/127.0.0.1:8080-1) resumeAnyTransaction
09:55:57,788 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost/127.0.0.1:8080-1) defaultLogin, lc=javax.security.auth.login.LoginContext@2780a3db, subject=Subject(1003537020).principals=org.jboss.security.SimplePrincipal@1932581337(harald)org.jboss.security.SimpleGroup@1053755336(CallerPrincipal(members:harald))org.jboss.security.SimpleGroup@1053755336(ROLES(members:CREATE_APPLICATION,USER_AREA,APA_ADMIN_AREA,USER_PROFILE,SYS_ADMIN_AREA,USER_SETTINGS,ACCOUNT_ADMINISTRATION,ADMIN_AREA,ROLE_ADMINISTRATION))
09:55:57,789 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost/127.0.0.1:8080-1) End isValid, true
09:55:57,795 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1) Authenticated 'harald' with type 'LOGIN'
09:55:57,810 FINE  [javax.enterprise.resource.webcontainer.jsf.lifecycle] (http-localhost/127.0.0.1:8080-1) Exiting InvokeApplicationsPhase
09:55:57,810 FINE  [javax.enterprise.resource.webcontainer.jsf.timing] (http-localhost/127.0.0.1:8080-1)  [TIMING] - [2955ms] : Execution time for phase (including any PhaseListeners) -> INVOKE_APPLICATION 5
09:55:57,810 FINE  [javax.enterprise.resource.webcontainer.jsf.lifecycle] (http-localhost/127.0.0.1:8080-1) render(org.primefaces.context.PrimeFacesContext@4fcb2eda)
09:55:57,810 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost/127.0.0.1:8080-1) Setting threadlocal:null
09:55:57,814 DEBUG [org.apache.tomcat.util.http.Cookies] (http-localhost/127.0.0.1:8080-1) Cookies: Parsing b[]: JSESSIONID=JQw37EFGDsqHhV9CezWXrrZH; jm_earth_tpl=jm_earth
09:55:57,815 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1) Security checking request GET /mps-admin/pages/protected/user/startseite.xhtml
09:55:57,815 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1) We have cached auth type LOGIN for principal GenericPrincipal[harald()]
09:56:15,192 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1402559775192 sessioncount 0
09:56:15,192 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
09:56:25,193 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1402559785193 sessioncount 1
09:56:25,193 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
09:56:29,207 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1)   Checking constraint 'SecurityConstraint[Restricted Area]' against GET /pages/protected/user/startseite.xhtml --> true
09:56:29,208 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1)   Checking constraint 'SecurityConstraint[Restricted Area]' against GET /pages/protected/user/startseite.xhtml --> true
09:56:29,208 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1)  Calling hasUserDataPermission()
09:56:29,208 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1)   User data constraint has no restrictions
09:56:29,208 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1)  Calling authenticate()
09:56:29,209 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-localhost/127.0.0.1:8080-1) Already authenticated 'harald'
09:56:29,209 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1)  Calling accessControl()
09:56:29,209 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1)   Checking roles GenericPrincipal[harald()]
09:56:29,210 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) Username harald does NOT have role ADMIN_AREA
09:56:29,210 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) No role found:  ADMIN_AREA
09:56:29,210 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) Username harald does NOT have role USER_AREA
09:56:29,211 DEBUG [org.apache.catalina.realm.RealmBase] (http-localhost/127.0.0.1:8080-1) No role found:  USER_AREA
09:56:29,211 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/127.0.0.1:8080-1)  Failed accessControl() test
09:56:29,211 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost/127.0.0.1:8080-1) Setting threadlocal:null
09:56:29,212 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host]] (http-localhost/127.0.0.1:8080-1) Processing ErrorPage[errorCode=403, location=/pages/public/access_denied.xhtml]

如您所見,身份驗證有效,但隨后角色被覆蓋(設置threadlocal:null)

有誰知道出什么問題了嗎?

1 個解決方案

解決方案1
 1 已采納  2014-06-16 06:06:17

我發現問題了

是配置錯誤。

standalone.xml中的rolequery是錯誤的。 我把“角色”大寫 

<module-option name="rolesQuery" value="SELECT ADMIN_PERMISSION.NAME, 'Roles' FROM ADMIN_PERMISSION INNER JOIN ROLE_PERMISSION ON ADMIN_PERMISSION.ID = ROLE_PERMISSION.ID_PERMISSION INNER JOIN ADMIN_ROLE ON ROLE_PERMISSION.ID_ROLE = ADMIN_ROLE.ID INNER JOIN ACCOUNT_ROLE ON ADMIN_ROLE.ID = ACCOUNT_ROLE.ID_ROLE INNER JOIN ADMIN_ACCOUNT ON ACCOUNT_ROLE.ID_ACCOUNT = ADMIN_ACCOUNT.ID WHERE ADMIN_ACCOUNT.USERNAME = ?"/>

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 JBoss JAAS 自定義登錄模塊 JBoss JAAS自定義登錄模塊錯誤消息 使用 JAAS 登錄模塊注銷 JAAS自定義登錄模塊 Wildfly和JAAS登錄模塊 成功完成JAAS登錄后執行代碼 適用於Windows和Linux的Jaas登錄模塊 通過JAAS手動登錄用戶到JBoss WIldfly 將 HTTP Request.login 與 JBoss/JAAS 一起使用 JavaEE 6中的JAAS配置和LDAP登錄模塊
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM