访问受保护的 URL 时出现 JAAS 禁止错误 (403)
JAAS Forbidden Error (403) when accessing a protected URL
我刚刚开始在 GlassFish 服务器上使用 JSF、JPA 和 EJB 开发一个宠物项目,目前我正在使用 JAAS 设置身份验证模块。现在差不多完成了,除了一个我无法找到解决方案的错误。
我的前提
我在数据库中有一个 table users 存储所有 email, password 和 role(暂时未规范化)。我对团体没有任何规定。用户只是被分配了一个角色。
我的数据是这样的:
username | role | password
mannyee Member (sha-256 value)
我已经在 GlassFish 服务器中设置了一个 JDBC 领域 (findRoomieRealm)。那里的属性设置有:
JAAS Context : jdbcRealm
JNDI : jdbc/sample
User Table : users
User Name Column: email
Password Column : password
Group Table : users
Group Name Column: role
Password Encryption Algorithm: SHA-256
Group Table User Name Column: (empty)
然后我在 web.xml
中设置了以下内容
<welcome-file-list>
<welcome-file>pages/user/dashboard.xhtml</welcome-file>
</welcome-file-list>
<!-- Protected area definition -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Area</web-resource-name>
<url-pattern>/pages/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>MEMBER</role-name>
</auth-constraint>
</security-constraint>
<!-- Login page -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>findRoomieRealm</realm-name>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/error.xhtml</form-error-page>
</form-login-config>
</login-config>
<!-- System roles -->
<security-role>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<role-name>MEMBER</role-name>
</security-role>
我的问题:
当我尝试访问受保护的页面时,登录页面确实拦截了我可以成功登录系统的请求。我可以通过服务器生成的日志来验证这一点:
Fine: [Web-Security] Setting Policy Context ID: old = null ctxID = findRoomie/findRoomie
Fine: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/j_security_check" "POST")
Fine: [Web-Security] hasUserDataPermission isGranted: true
Finest: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
Fine: Logging in user [mannyee] into realm: findRoomieRealm using JAAS module: jdbcRealm
Fine: Login module initialized: class com.sun.enterprise.security.ee.auth.login.JDBCLoginModule
Finest: JDBC login succeeded for: mannyee groups:[Member]
Fine: JAAS login complete.
Fine: JAAS authentication committed.
Fine: Password login succeeded for : mannyee
Fine: Set security context as user: mannyee
但是我在请求的页面(登录后立即)和日志文件上得到了禁止状态:
Fine: [Web-Security] Setting Policy Context ID: old = null ctxID = findRoomie/findRoomie
Fine: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "" "GET")
Fine: [Web-Security] hasUserDataPermission isGranted: true
Fine: [Web-Security] Policy Context ID was: findRoomie/findRoomie
Fine: [Web-Security] Codesource with Web URL: file:/findRoomie/findRoomie
Fine: [Web-Security] Checking Web Permission with Principals : null
Fine: [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Finest: JACC Policy Provider: PolicyWrapper.implies, context (findRoomie/findRoomie)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET"))
Fine: [Web-Security] hasResource isGranted: false
Fine: [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Fine: [Web-Security] Policy Context ID was: findRoomie/findRoomie
Fine: [Web-Security] Generating a protection domain for Permission check.
Fine: [Web-Security] Checking with Principal : mannyee
Fine: [Web-Security] Checking with Principal : Member
Fine: [Web-Security] Codesource with Web URL: file:/findRoomie/findRoomie
Fine: [Web-Security] Checking Web Permission with Principals : mannyee, Member
Fine: [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Finest: JACC Policy Provider: PolicyWrapper.implies, context (findRoomie/findRoomie)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET"))
Fine: [Web-Security] hasResource isGranted: false
虽然具有成员角色的用户应该可以访问它,但服务器禁止来自用户 mannyee 的请求。所以我在 glassfish-web.xml (sun-web.xml)
上设置了以下内容
<security-role-mapping>
<role-name>Member</role-name>
<principal-name>mannyee</principal-name>
<!-- <group-name>Member</group-name>-->
</security-role-mapping>
但我仍然无法让该用户访问该页面。我认为问题出在角色分配的某个地方。服务器日志显示 GlassFish 尝试通过将 'mannyee' 和 'Member' 作为委托人来进行授权,但都失败了。还有一行说
Fine: [Web-Security] Checking Web Permission with Principals : null
我不太清楚那是什么意思。
谁能指出我在这里遗漏了什么?
谢谢!!
经过一番修改配置,我终于找到了解决办法。我对我的领域进行了以下更改
Assign Groups: ADMIN,MEMBER
然后在 glassfish-web.xml,
<security-role-mapping>
<role-name>MEMBER</role-name>
<principal-name>MEMBER</principal-name>
<group-name>MEMBER</group-name>
</security-role-mapping>
我也有区分大小写的问题,我在 table 中将角色存储为 Member 但使用 MEMBER在我所有的配置中。
我刚刚开始在 GlassFish 服务器上使用 JSF、JPA 和 EJB 开发一个宠物项目,目前我正在使用 JAAS 设置身份验证模块。现在差不多完成了,除了一个我无法找到解决方案的错误。
我的前提
我在数据库中有一个 table users 存储所有 email, password 和 role(暂时未规范化)。我对团体没有任何规定。用户只是被分配了一个角色。
我的数据是这样的:
username | role | password
mannyee Member (sha-256 value)
我已经在 GlassFish 服务器中设置了一个 JDBC 领域 (findRoomieRealm)。那里的属性设置有:
JAAS Context : jdbcRealm
JNDI : jdbc/sample
User Table : users
User Name Column: email
Password Column : password
Group Table : users
Group Name Column: role
Password Encryption Algorithm: SHA-256
Group Table User Name Column: (empty)
然后我在 web.xml
中设置了以下内容<welcome-file-list>
<welcome-file>pages/user/dashboard.xhtml</welcome-file>
</welcome-file-list>
<!-- Protected area definition -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Area</web-resource-name>
<url-pattern>/pages/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>MEMBER</role-name>
</auth-constraint>
</security-constraint>
<!-- Login page -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>findRoomieRealm</realm-name>
<form-login-config>
<form-login-page>/faces/login.xhtml</form-login-page>
<form-error-page>/faces/error.xhtml</form-error-page>
</form-login-config>
</login-config>
<!-- System roles -->
<security-role>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<role-name>MEMBER</role-name>
</security-role>
我的问题:
当我尝试访问受保护的页面时,登录页面确实拦截了我可以成功登录系统的请求。我可以通过服务器生成的日志来验证这一点:
Fine: [Web-Security] Setting Policy Context ID: old = null ctxID = findRoomie/findRoomie
Fine: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/j_security_check" "POST")
Fine: [Web-Security] hasUserDataPermission isGranted: true
Finest: Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential
Fine: Logging in user [mannyee] into realm: findRoomieRealm using JAAS module: jdbcRealm
Fine: Login module initialized: class com.sun.enterprise.security.ee.auth.login.JDBCLoginModule
Finest: JDBC login succeeded for: mannyee groups:[Member]
Fine: JAAS login complete.
Fine: JAAS authentication committed.
Fine: Password login succeeded for : mannyee
Fine: Set security context as user: mannyee
但是我在请求的页面(登录后立即)和日志文件上得到了禁止状态:
Fine: [Web-Security] Setting Policy Context ID: old = null ctxID = findRoomie/findRoomie
Fine: [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "" "GET")
Fine: [Web-Security] hasUserDataPermission isGranted: true
Fine: [Web-Security] Policy Context ID was: findRoomie/findRoomie
Fine: [Web-Security] Codesource with Web URL: file:/findRoomie/findRoomie
Fine: [Web-Security] Checking Web Permission with Principals : null
Fine: [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Finest: JACC Policy Provider: PolicyWrapper.implies, context (findRoomie/findRoomie)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET"))
Fine: [Web-Security] hasResource isGranted: false
Fine: [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Fine: [Web-Security] Policy Context ID was: findRoomie/findRoomie
Fine: [Web-Security] Generating a protection domain for Permission check.
Fine: [Web-Security] Checking with Principal : mannyee
Fine: [Web-Security] Checking with Principal : Member
Fine: [Web-Security] Codesource with Web URL: file:/findRoomie/findRoomie
Fine: [Web-Security] Checking Web Permission with Principals : mannyee, Member
Fine: [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Finest: JACC Policy Provider: PolicyWrapper.implies, context (findRoomie/findRoomie)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET"))
Fine: [Web-Security] hasResource isGranted: false
虽然具有成员角色的用户应该可以访问它,但服务器禁止来自用户 mannyee 的请求。所以我在 glassfish-web.xml (sun-web.xml)
上设置了以下内容<security-role-mapping>
<role-name>Member</role-name>
<principal-name>mannyee</principal-name>
<!-- <group-name>Member</group-name>-->
</security-role-mapping>
但我仍然无法让该用户访问该页面。我认为问题出在角色分配的某个地方。服务器日志显示 GlassFish 尝试通过将 'mannyee' 和 'Member' 作为委托人来进行授权,但都失败了。还有一行说
Fine: [Web-Security] Checking Web Permission with Principals : null
我不太清楚那是什么意思。
谁能指出我在这里遗漏了什么?
谢谢!!
经过一番修改配置,我终于找到了解决办法。我对我的领域进行了以下更改
Assign Groups: ADMIN,MEMBER
然后在 glassfish-web.xml,
<security-role-mapping>
<role-name>MEMBER</role-name>
<principal-name>MEMBER</principal-name>
<group-name>MEMBER</group-name>
</security-role-mapping>
我也有区分大小写的问题,我在 table 中将角色存储为 Member 但使用 MEMBER在我所有的配置中。