方法调用失败 JAX-RS / Wildfly / Java SDK13 with interceptor

Method invocation failure JAX-RS / Wildfly / Java SDK13 with interceptor

我在 Wildfly 18 上向我的 JAX-RS / Resteasy Java SDK13 项目 运行 添加了一个拦截器,以便使用注释(例如@RolesAllowed)。虽然安全实现比编程方法好得多,但当 Resteasy 尝试调用匹配的函数 (deleteAll()) 时,我遇到了一个调用错误。我已经在尝试调用之前跟踪了拦截器流,并且拦截器 批准 用户并向前传递控制权。然后我得到这个错误,这似乎是一个安全故障,尽管我的拦截器已经批准了用户。

我更改了 Wildfly 设置 <default-missing-method-permissions-deny-access value="false"/> 但这并没有改变行为。

Java 使用 /consumers/deleteall 调用源,正文中没有任何内容,也没有查询字符串。

安全拦截器


@Provider
@ServerInterceptor
public class SecurityInterceptor implements ContainerRequestFilter
{
   private static final String AUTHORIZATION_PROPERTY = "Authorization";
   private static final String AUTHENTICATION_SCHEME = "xxx";
   private static final ServerResponse ACCESS_DENIED = new ServerResponse("Access denied for this resource", 401, new Headers<Object>());;
   private static final ServerResponse ACCESS_FORBIDDEN = new ServerResponse("Nobody can access this resource", 403, new Headers<Object>());;
   private static final ServerResponse SERVER_ERROR = new ServerResponse("INTERNAL SERVER ERROR", 500, new Headers<Object>());;

   @Inject
   private GenericUserDAO guDAO;

   @Override
   public void filter(ContainerRequestContext requestContext)
   {
       ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) requestContext.getProperty("org.jboss.resteasy.core.ResourceMethodInvoker");
       Method method = methodInvoker.getMethod();

       if (method != null)
           System.out.println("Access attempt to "+method.getName());

       //Access allowed for all 
       if( ! method.isAnnotationPresent(PermitAll.class))
       {
           //Access denied for all 
           if(method.isAnnotationPresent(DenyAll.class))
           {
               requestContext.abortWith(ACCESS_FORBIDDEN);
               return;
           }

           //Get request headers
           final MultivaluedMap<String, String> headers = requestContext.getHeaders();

           //Fetch authorization header
           final List<String> authorization = headers.get(AUTHORIZATION_PROPERTY);

           //If no authorization information present; block access
           if(authorization == null || authorization.isEmpty())
           {
               requestContext.abortWith(ACCESS_DENIED);
               return;
           }

           //Get encoded username and password
           final String token = authorization.get(0).replaceFirst(AUTHENTICATION_SCHEME + " ", "");

           //Verify user access
           if(method.isAnnotationPresent(RolesAllowed.class))
           {
               RolesAllowed rolesAnnotation = method.getAnnotation(RolesAllowed.class);
               Set<String> rolesSet = new HashSet<String>(Arrays.asList(rolesAnnotation.value()));

               //Is user valid?
               if( ! isUserAllowed(token, rolesSet))
               {
                   requestContext.abortWith(ACCESS_DENIED);
                   return;
               }
           }
       }
       System.out.println("approved");
   }


   private boolean isUserAllowed(final String token, final Set<String> rolesSet) 
   {
       User user = guDAO.findUserByToken(token);
       if (user.getClass() == SuperUser.class)
           return true;

       String userRole = user.getClass().getSimpleName();
       System.out.println("User role is "+userRole+"    Role set is "+rolesSet.toString());
       return rolesSet.contains(userRole);
   }

}

JAX_RS 处理程序


@LocalBean
@Stateless
@Path("/consumers")
@RolesAllowed({"SuperUser","Consumer"})
public class ConsumerEndpoint extends UserEndpoint {

    /**
     * Delete all consumers
     * @param token
     * @return
     */
    @DELETE
    @Path("/deleteall")
    @RolesAllowed({"SuperUser","Consumer"})
    public Response deleteAll() {
        Response.ResponseBuilder builder = null;

        if (!consumerDAO.deleteAll()) {
            Map<String, String> responseObj = new HashMap<String, String>();
            responseObj.put("error", "Error executing deletion");
            builder = Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(responseObj);
            return builder.build();
        }

        return Response.ok().build();
    }
}

日志数据

23:29:23,661 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component ConsumerEndpoint for method public javax.ws.rs.core.Response com.eventhorizon.eva.rest.responder.ConsumerEndpoint.deleteAll(): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public javax.ws.rs.core.Response com.eventhorizon.eva.rest.responder.ConsumerEndpoint.deleteAll() of bean: ConsumerEndpoint is not allowed
    at org.jboss.as.ejb3@18.0.0.Final//org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:134)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)


23:29:23,665 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /eva/rest/consumers/deleteall: org.jboss.resteasy.spi.UnhandledException: javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public javax.ws.rs.core.Response com.eventhorizon.eva.rest.responder.ConsumerEndpoint.deleteAll() of bean: ConsumerEndpoint is not allowed
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:82)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:346)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:193)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:456)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke(SynchronousDispatcher.java:229)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess[=13=](SynchronousDispatcher.java:135)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:356)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.api@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
    at io.opentracing.contrib.opentracing-jaxrs2//io.opentracing.contrib.jaxrs2.server.SpanFinishingFilter.doFilter(SpanFinishingFilter.java:52)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.ServletChain.handleRequest(ServletChain.java:68)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at org.wildfly.extension.undertow@18.0.0.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at io.undertow.core@2.0.26.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    at io.undertow.core@2.0.26.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.core@2.0.26.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at io.undertow.core@2.0.26.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at io.undertow.core@2.0.26.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at io.undertow.core@2.0.26.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at io.undertow.core@2.0.26.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow@18.0.0.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.core@2.0.26.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow@18.0.0.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
    at io.undertow.core@2.0.26.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.core@2.0.26.Final//io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:64)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.ServletInitialHandler.access0(ServletInitialHandler.java:78)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:133)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:130)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction.call(ServletRequestContextThreadSetupAction.java:48)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction.call(ContextClassLoaderSetupAction.java:43)
    at org.wildfly.extension.undertow@18.0.0.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create[=13=](SecurityContextThreadSetupAction.java:105)
    at org.wildfly.extension.undertow@18.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1504)
    at org.wildfly.extension.undertow@18.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1504)
    at org.wildfly.extension.undertow@18.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1504)
    at org.wildfly.extension.undertow@18.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1504)
    at org.wildfly.extension.undertow@18.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create[=13=](UndertowDeploymentInfoService.java:1504)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.ServletInitialHandler.access[=13=]0(ServletInitialHandler.java:78)
    at io.undertow.servlet@2.0.26.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleRequest(ServletInitialHandler.java:99)
    at io.undertow.core@2.0.26.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:376)
    at io.undertow.core@2.0.26.Final//io.undertow.server.HttpServerExchange.run(HttpServerExchange.java:830)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
    at java.base/java.lang.Thread.run(Thread.java:830)
Caused by: javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public javax.ws.rs.core.Response com.eventhorizon.eva.rest.responder.ConsumerEndpoint.deleteAll() of bean: ConsumerEndpoint is not allowed
    at org.jboss.as.ejb3@18.0.0.Final//org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:134)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
    at org.jboss.as.ejb3@18.0.0.Final//org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
    at org.jboss.as.ejb3@18.0.0.Final//org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
    at org.jboss.as.ejb3@18.0.0.Final//org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory.processInvocation(ShutDownInterceptorFactory.java:64)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
    at org.jboss.as.ejb3@18.0.0.Final//org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
    at org.jboss.as.ee@18.0.0.Final//org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
    at org.wildfly.security.elytron-private@1.10.3.Final//org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:627)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
    at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
    at org.jboss.as.ee@18.0.0.Final//org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
    at org.jboss.as.ee@18.0.0.Final//org.jboss.as.ee.component.ViewDescription.processInvocation(ViewDescription.java:185)
    at org.jboss.as.ee@18.0.0.Final//org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)
    at deployment.eva.war//com.eventhorizon.eva.rest.responder.ConsumerEndpoint$$$view8.deleteAll(Unknown Source)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:567)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:517)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:406)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget[=13=](ResourceMethodInvoker.java:370)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:356)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:372)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:344)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:317)
    at org.jboss.resteasy.resteasy-jaxrs@3.9.0.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
    ... 59 more

23:29:23,670 INFO  [io.undertow.request.dump] (default task-1) 
----------------------------REQUEST---------------------------
               URI=/eva/rest/consumers/deleteall
 characterEncoding=null
     contentLength=0
       contentType=[application/json]
            header=Accept=application/json
            header=Connection=keep-alive
            header=Authorization=ApiKey-v1 AC0gP9D-2jrCRDXfzyTayDb5LuUTTX9_Z2NwMDcwM0BnbWFpbC5jb20=
            header=Content-Type=application/json
            header=Content-Length=0
            header=User-Agent=Java/13.0.1
            header=Host=localhost:8080
            locale=[]
            method=DELETE
          protocol=HTTP/1.1
       queryString=
        remoteAddr=/127.0.0.1:53053
        remoteHost=localhost
            scheme=http
              host=localhost:8080
        serverPort=8080
          isSecure=false
--------------------------RESPONSE--------------------------
     contentLength=-1
       contentType=text/html;charset=UTF-8
            header=Connection=keep-alive
            header=Transfer-Encoding=chunked
            header=Content-Type=text/html;charset=UTF-8
            header=Date=Tue, 14 Jan 2020 06:29:23 GMT
            status=500

==============================================================

POM.XML

<project xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

    <modelVersion>4.0.0</modelVersion>
    <groupId>com.eventhorizon</groupId>
    <artifactId>eva</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <packaging>war</packaging>
    <name>Eva REST Interface</name>
    <properties>
        <!-- Explicitly declaring the source encoding eliminates the following 
            message: -->
        <!-- [WARNING] Using platform encoding (UTF-8 actually) to copy filtered 
            resources, i.e. build is platform dependent! -->
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

        <!-- You can reference property in pom.xml or filtered resources (must 
            enable third-party plugin if using Maven < 2.1) -->

        <!-- JBoss dependency versions -->

        <version.jboss.maven.plugin>7.9.Final</version.jboss.maven.plugin>

        <!-- Define the version of the JBoss BOMs we want to import to specify 
            tested stacks. -->
        <version.jboss.bom>1.0.7.Final</version.jboss.bom>

        <!-- Other dependency versions -->
        <version.org.eclipse.m2e>1.0.0</version.org.eclipse.m2e>
        <version.ro.isdc.wro4j>1.4.4</version.ro.isdc.wro4j>

        <!-- other plugin versions -->
        <version.surefire.plugin>2.10</version.surefire.plugin>
        <version.war.plugin>2.2</version.war.plugin>

        <!-- maven-compiler-plugin -->
        <maven.compiler.target>12</maven.compiler.target>
        <maven.compiler.source>12</maven.compiler.source>
    </properties>

    <dependencyManagement>
        <dependencies>
            <!-- https://mvnrepository.com/artifact/org.wildfly.bom/wildfly-jakartaee8-with-tools-builder -->
            <dependency>
                <groupId>org.wildfly.bom</groupId>
                <artifactId>wildfly-jakartaee8-with-tools-builder</artifactId>
                <version>18.0.1.Final</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
            <!-- https://mvnrepository.com/artifact/org.jboss.spec.javax.management.j2ee/jboss-j2eemgmt-api_1.1_spec-parent -->
            <dependency>
                <groupId>org.jboss.spec.javax.management.j2ee</groupId>
                <artifactId>jboss-j2eemgmt-api_1.1_spec-parent</artifactId>
                <version>2.0.0.Final</version>
                <type>pom</type>
            </dependency>
            <dependency>
                <groupId>org.jboss.arquillian</groupId>
                <artifactId>arquillian-bom</artifactId>
                <version>1.1.8.Final</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>
        </dependencies>
    </dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.json</groupId>
            <artifactId>json</artifactId>
            <version>20180130</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/org.mongodb/mongo-java-driver -->
        <dependency>
            <groupId>org.mongodb</groupId>
            <artifactId>mongo-java-driver</artifactId>
            <version>3.12.0</version>
        </dependency>
        <dependency>
            <groupId>com.sendgrid</groupId>
            <artifactId>sendgrid-java</artifactId>
            <version>4.4.1</version>
        </dependency>

        <dependency>
            <groupId>com.sendgrid</groupId>
            <artifactId>java-http-client</artifactId>
            <version>4.1.0</version>
        </dependency>

        <dependency>
            <groupId>commons-beanutils</groupId>
            <artifactId>commons-beanutils</artifactId>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-jdk15on</artifactId>
        </dependency>

    </dependencies>
    <build>
        <!-- Maven will append the version to the finalName (which is the name 
            given to the generated war, and hence the context root) -->
        <!-- <finalName>${project.artifactId}</finalName> -->
        <finalName>eva</finalName>
        <plugins>
            <plugin>
                <artifactId>maven-war-plugin</artifactId>
                <version>3.2.2</version>
                <configuration>
                    <!-- Java EE 6 doesn't require web.xml, Maven needs to catch up! -->
                    <failOnMissingWebXml>false</failOnMissingWebXml>
                </configuration>
            </plugin>
        </plugins>
    </build>
</project>

您正在使用 EJB (@LocalBean) 注释。并且您应用了 @RolesAllowed 注释。这意味着,您的 EJB / REST 服务调用自动受到 JEE 运行时的保护。

基本上,您在拦截器中所做的事情已经由 Wildfly 执行。但以不同的方式。现在您意外地拥有两种身份验证方式或级别。我建议你坚持单一实施。

要么使用 JAAS 框架,要么使用自定义拦截器。您不应同时使用两者。

  1. 我推荐的方法是在 Wildfly 中设置 JAAS 登录模块。应该有很多例子说明如何做到这一点,例如使用 https://docs.wildfly.org/18/WildFly_Elytron_Security.html#Database_Authentication_Migration or JBoss Wildfly - database login module
  2. 不使用 JAAS 并提供您的自定义安全拦截器。基本上你可以保留你的拦截器 class。为了使其正常工作,您可以使用自己的一组注释来检查访问权限。