访问受保护的 URL 时出现 JAAS 禁止错误 (403)

JAAS Forbidden Error (403) when accessing a protected URL

我刚刚开始在 GlassFish 服务器上使用 JSF、JPA 和 EJB 开发一个宠物项目,目前我正在使用 JAAS 设置身份验证模块。现在差不多完成了,除了一个我无法找到解决方案的错误。

我的前提

我在数据库中有一个 table users 存储所有 email, passwordrole(暂时未规范化)。我对团体没有任何规定。用户只是被分配了一个角色。

我的数据是这样的:

username        |   role   |      password
mannyee            Member        (sha-256 value)  

我已经在 GlassFish 服务器中设置了一个 JDBC 领域 (findRoomieRealm)。那里的属性设置有:

JAAS Context    :   jdbcRealm
JNDI        :   jdbc/sample
User Table  :   users
User Name Column:   email 
Password Column :   password
Group Table :   users
Group Name Column:  role
Password Encryption Algorithm:  SHA-256
Group Table User Name Column: (empty)

然后我在 web.xml

中设置了以下内容
<welcome-file-list>
    <welcome-file>pages/user/dashboard.xhtml</welcome-file>
</welcome-file-list>

<!-- Protected area definition -->
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted Area</web-resource-name>
        <url-pattern>/pages/user/*</url-pattern> 
    </web-resource-collection>

    <auth-constraint>
        <role-name>MEMBER</role-name>
    </auth-constraint>
</security-constraint>


<!-- Login page -->
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>findRoomieRealm</realm-name>
    <form-login-config>
        <form-login-page>/faces/login.xhtml</form-login-page>
        <form-error-page>/faces/error.xhtml</form-error-page>
    </form-login-config>
</login-config>

<!-- System roles -->
<security-role>
 <role-name>ADMIN</role-name>
</security-role>
<security-role>
 <role-name>MEMBER</role-name>
</security-role>

我的问题:

当我尝试访问受保护的页面时,登录页面确实拦截了我可以成功登录系统的请求。我可以通过服务器生成的日志来验证这一点:

Fine:   [Web-Security] Setting Policy Context ID: old = null ctxID = findRoomie/findRoomie
Fine:   [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "/j_security_check" "POST")
Fine:   [Web-Security] hasUserDataPermission isGranted: true
Finest:   Processing login with credentials of type: class com.sun.enterprise.security.auth.login.common.PasswordCredential 
Fine:   Logging in user [mannyee] into realm: findRoomieRealm using JAAS module: jdbcRealm
Fine:   Login module initialized: class com.sun.enterprise.security.ee.auth.login.JDBCLoginModule
Finest:   JDBC login succeeded for: mannyee groups:[Member]
Fine:   JAAS login complete.
Fine:   JAAS authentication committed.
Fine:   Password login succeeded for : mannyee
Fine:   Set security context as user: mannyee

但是我在请求的页面(登录后立即)和日志文件上得到了禁止状态:

Fine:   [Web-Security] Setting Policy Context ID: old = null ctxID = findRoomie/findRoomie
Fine:   [Web-Security] hasUserDataPermission perm: ("javax.security.jacc.WebUserDataPermission" "" "GET")
Fine:   [Web-Security] hasUserDataPermission isGranted: true
Fine:   [Web-Security] Policy Context ID was: findRoomie/findRoomie
Fine:   [Web-Security] Codesource with Web URL: file:/findRoomie/findRoomie
Fine:   [Web-Security] Checking Web Permission with Principals : null
Fine:   [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Finest:   JACC Policy Provider: PolicyWrapper.implies, context (findRoomie/findRoomie)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET"))
Fine:   [Web-Security] hasResource isGranted: false
Fine:   [Web-Security] hasResource perm: ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Fine:   [Web-Security] Policy Context ID was: findRoomie/findRoomie
Fine:   [Web-Security] Generating a protection domain for Permission check.
Fine:   [Web-Security] Checking with Principal : mannyee
Fine:   [Web-Security] Checking with Principal : Member
Fine:   [Web-Security] Codesource with Web URL: file:/findRoomie/findRoomie
Fine:   [Web-Security] Checking Web Permission with Principals : mannyee, Member
Fine:   [Web-Security] Web Permission = ("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET")
Finest:   JACC Policy Provider: PolicyWrapper.implies, context (findRoomie/findRoomie)- result was(false) permission (("javax.security.jacc.WebResourcePermission" "/pages/user/dashboard.xhtml" "GET"))
Fine:   [Web-Security] hasResource isGranted: false

虽然具有成员角色的用户应该可以访问它,但服务器禁止来自用户 mannyee 的请求。所以我在 glassfish-web.xml (sun-web.xml)

上设置了以下内容
<security-role-mapping>
    <role-name>Member</role-name>
    <principal-name>mannyee</principal-name>
    <!--        <group-name>Member</group-name>-->
  </security-role-mapping>

但我仍然无法让该用户访问该页面。我认为问题出在角色分配的某个地方。服务器日志显示 GlassFish 尝试通过将 'mannyee' 和 'Member' 作为委托人来进行授权,但都失败了。还有一行说

    Fine:   [Web-Security] Checking Web Permission with Principals : null

我不太清楚那是什么意思。

谁能指出我在这里遗漏了什么?

谢谢!!

经过一番修改配置,我终于找到了解决办法。我对我的领域进行了以下更改

Assign Groups: ADMIN,MEMBER

然后在 glassfish-web.xml,

<security-role-mapping>
    <role-name>MEMBER</role-name>
    <principal-name>MEMBER</principal-name>
    <group-name>MEMBER</group-name>
</security-role-mapping>

我也有区分大小写的问题,我在 table 中将角色存储为 Member 但使用 MEMBER在我所有的配置中。