Java JBOSS AS7 jax rs jaas和注释
嘿,我希望有人能在过去的两天里帮我找出我做错了什么。 我希望通过编程登录到JAX-RSAPI,并在端点上使用@RoleSlowed注释 我登录很好,可以在登录端点中看到主体集,还可以获得JSESSIONID。但是当我调用带有@RolesAllowedUSER注释的/info/ping端点时,它会抛出未经验证的异常。如果删除注释,则req.getUserPrincipal在cookie集合中为null事件 任何帮助都将不胜感激 我正在使用JBossAS7 设置如下: Standalone.xmlJava JBOSS AS7 jax rs jaas和注释,java,jboss,jax-rs,jaas,Java,Jboss,Jax Rs,Jaas,嘿,我希望有人能在过去的两天里帮我找出我做错了什么。 我希望通过编程登录到JAX-RSAPI,并在端点上使用@RoleSlowed注释 我登录很好,可以在登录端点中看到主体集,还可以获得JSESSIONID。但是当我调用带有@RolesAllowedUSER注释的/info/ping端点时,它会抛出未经验证的异常。如果删除注释,则req.getUserPrincipal在cookie集合中为null事件 任何帮助都将不胜感激 我正在使用JBossAS7 设置如下: Standalone.xml
Servlet3.0中的主体是会话范围的。确保第二个请求已映射/使用同一会话并使用JSSessionID 嘿,谢谢你的回复。第二个请求确实使用了相同的JSESSIONID。您能测试一下您是否真的拥有相同的会话吗?e、 G.在登录期间放置会话属性,并在ping方法中读取。感谢simon,您的评论引导我找到了解决方案。在我的登录方法中,我调用了req.getSession.setAttributetest,test;突然间,一切都起了作用。很明显,即使我得到了一个会话id,我也没有启动会话。我被困在这个问题上这么久,结果证明它是如此简单,这有点让人恼火。。。。
<security-domain name="api" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/MysqlDS"/>
<module-option name="principalsQuery" value="select password from SiteUser where email=?"/>
<module-option name="rolesQuery" value="select role, 'Roles' from user_roles where email=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="base64"/>
<module-option name="unauthenticatedIdentity" value="GUEST"/>
</login-module>
</authentication>
</security-domain>
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<filter>
<filter-name>Resteasy</filter-name>
<filter-class>
org.jboss.resteasy.plugins.server.servlet.FilterDispatcher
</filter-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>com.surecoin.api.rest.RootApplication</param-value>
</init-param>
<init-param>
<param-name>resteasy.scan</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin_resources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Login Prompt -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/login.xhtml</form-login-page>
<form-error-page>/error.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Users</description>
<role-name>USER</role-name>
</security-role>
<security-role>
<role-name>guest</role-name>
</security-role>
<security-role>
<description>Admin</description>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<role-name>GUEST</role-name>
</security-role>
<jboss-web>
<security-domain>api</security-domain>
</jboss-web>
@POST
@Path("login")
@Produces(MediaType.APPLICATION_JSON)
public Response login(@FormParam("email") String email, @FormParam("password") String password,
@Context HttpServletRequest req) {
String username = email;
//only login if not already logged in...
if(req.getUserPrincipal() == null) {
try {
req.login(username, password);
System.out.println(req.getUserPrincipal().toString());
}
catch(ServletException e){
e.printStackTrace();
return Response.status(Response.Status.UNAUTHORIZED).build();
}
} else {
System.out.println(req.getUserPrincipal().toString());
req.getServletContext().log("Skip logged because already logged in: "+ username);
}
req.getServletContext().log("Authentication Demo: successfully retrieved User Profile from DB for " + username);
return Response.ok().build();
}
Finally the security check:
@Path("/info/ping")
@Produces(MediaType.APPLICATION_JSON)
@RolesAllowed("USER")
@GET
public String ping(@Context HttpServletRequest req){
System.out.println(req.getUserPrincipal());
System.out.println(req.isUserInRole("USER"));
return "{\"status\":\"ok\"}";
}