在glassfish jdbcrealm身份验证中没有触发限制页面的登录
cad*_*dii 5 security authentication glassfish java-ee jdbcrealm
我是EJB安全和GlassFish身份验证,授权机制的新手.我有一个jdbc领域并已配置sun-web.xml并web.xml映射角色并限制对页面的访问.
但是,我的问题是,当我限制对所有页面的访问时,它会起作用并在加载欢迎页面之前触发登录弹出(使用BASIC身份验证).
<web-resource-collection>
<web-resource-name>All Pages</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
但是当我限制访问文件夹中的页面时security,GlassFish不会提示登录并将用户重定向到受限页面.
<web-resource-collection>
<web-resource-name>All Pages</web-resource-name>
<description/>
<url-pattern>/security/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>`
请帮我解决这个问题..提前多多感谢.
打开安全管理器后,我也找到了这些条目
Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [admin] into realm: admin-realm using JAAS module: fileRealm
Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule
File login succeeded for: admin
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : admin
permission check done to set SecurityContext
Set security context as user: admin
[Web-Security] hasResource perm: (javax.security.jacc.WebResourcePermission /faces/security/UserRedirect.jsp GET)
似乎admin-realm中的admin主管会自动进行身份验证并用于我的应用程序,而不是使用我的jdbcrealm.有关如何解决此问题的任何想法?
更新
对不起,我刚刚将身份验证更改为表单进行检查.我又把它改回BASIC了.是的,我将jdbcrealm名称作为默认领域.
你的权利..就是这样
GlassFish不会重定向到登录表单页面,并且不限制对受限资源的访问
我认为这是因为admin-realm admin会自动进行身份验证,当我尝试访问受限制的页面时,它会检查经过身份验证的用户,因为它是管理员,并且它具有对页面的授权,该页面是可访问的,并且不会提示登录.
当我运行应用程序而不是尝试登录玻璃鱼的管理控制台时,这些仍会出现
Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [admin] into realm: admin-realm using JAAS module: fileRealm
Login module initialized: class com.sun.enterprise.security.auth.login.FileLoginModule
File login succeeded for: admin
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : admin
permission check done to set SecurityContext
Set security context as user: admin
还有这些
(unresolved javax.security.jacc.WebUserDataPermission /security/* null)
(unresolved javax.security.jacc.WebUserDataPermission /:/security/* null)
(unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
(unresolved javax.security.jacc.WebResourcePermission /:/security/* null)
(unresolved javax.security.jacc.WebResourcePermission /security/* !DELETE,GET,HEAD,OPTIONS,POST,PUT,TRACE)
(unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
更新2
我尝试使用<url-pattern>/*</url-pattern>
而不是<url-pattern>/security/*</url-pattern>
有趣的是,这就是我在追踪中得到的.
Processing login with credentials of type: class com.sun.enterprise.security.auth.login.PasswordCredential
Logging in user [employee] into realm: emsSecurity using JAAS module: jdbcRealm
Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
JDBC login succeeded for: employee groups:[Ljava.lang.String;@16bfca4
JAAS login complete.
JAAS authentication committed.
Password login succeeded for : employee
permission check done to set SecurityContext
Set security context as user: employee
它进入拒绝访问页面.
'HTTP状态403 - 已拒绝访问所请求的资源'
我不明白glassfish如何在没有用户提交登录凭据的情况下对用户员工进行身份验证.它甚至说'密码登录成功:员工'.请帮我解决这个问题.
所有的拳头都非常感谢您的努力.我仍然坚持这个问题.我在这里发布了xml文件.
sun-web.xml中
<security-role-mapping>
<role-name>Employee</role-name>
<group-name>Employee</group-name>
web.xml中
<security-constraint>
<display-name>Login Constraint</display-name>
<web-resource-collection>
<web-resource-name>User Redirect page</web-resource-name>
<description/>
<url-pattern>/security/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Employee</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>deliverySecurity</realm-name>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/index.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>Employee</role-name>
</security-role>
也没有堆栈跟踪.没有例外..用户只是被重定向到安全页面,就好像没有身份验证要求一样.这是一个使用Netbeans 6.5.1和Glassfish v2的jsf可视化Web开发项目.非常感谢.
您能否发布您的所有相关部分,web.xml因为我对此进行了测试web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>Archetype Created Web Application</display-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/jsp/security/protected/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>role1</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
请求受保护的资源(此处为http://localhost:8080/mywebapp/jsp/security/protected/)确实会提示我输入用户名和密码。换句话说,我无法重现该问题(我使用的是 GlassFish v3)。
更新:我完成了使用领域来保护我的示例 Web 应用程序jdbc,并确认一切正常。因此,正如我所说,请提供您的web.xml和您的sun-web.xml. 另外,为了安全起见,请将日志记录级别设置为“FINEST”:
并加入相关痕迹。
更新:我认为您显示的跟踪是管理控制台中管理员用户的登录。如果没有,您是否将 jdbc 领域设置为默认领域(以下捕获中的数据库是我的 jdbc 领域)?
顺便说一句,我以为你使用的是 BASIC 身份验证。但根据您提供的描述符,您正在使用 FORM。那么,您能否澄清一下您实际使用的是什么以及问题到底是什么(例如:“GlassFish 不会重定向到登录表单页面,并且对受限资源的访问不受限制”)?
| 归档时间: |
|
| 查看次数: |
7279 次 |
| 最近记录: |