Java 我必须把@DeclareRoles放在哪里?
我基本上理解了Java 我必须把@DeclareRoles放在哪里?,java,security,jakarta-ee,Java,Security,Jakarta Ee,我基本上理解了@DeclareRoles和@RolesAllowed的功能,但我不确定在哪里正确添加@DeclareRoles。我在glassfish 4中使用带有ejb会话bean和cdi的vaadin应用程序进行测试。该应用程序包装为war而不是ear @DeclareRolesonnoclass: 显然什么都不管用HttpServletRequest.isUserInRole()和SessionContext.isCallerRole()总是返回false@RolesAllowed始终拒
@DeclareRoles
和@RolesAllowed
的功能,但我不确定在哪里正确添加@DeclareRoles
。我在glassfish 4中使用带有ejb会话bean和cdi的vaadin应用程序进行测试。该应用程序包装为war而不是ear
onnoclass:@DeclareRoles
显然什么都不管用HttpServletRequest.isUserInRole()和
SessionContext.isCallerRole()总是返回false
始终拒绝访问@RolesAllowed
- Servlet上的DeclareRoles:
和@RolesAllowed
按预期工作HttpServletRequest.isUserInRole()
SessionContext.isCallerInRole()总是返回false
- 会话bean上的DeclareRoles:
,@RolesAllowed
和HttpServletRequest.isUserInRole()
按预期工作。即使在与使用SessionContext.isCallerInRole()
@DeclareRoles的会话bean不同的会话bean中调用了
SessionContext.isCallerRole()
SessionContext.isCallerRole()或@RolesAllowed
的bean添加注释
可以对类、类的业务方法或两者指定方法权限。可以在bean类的方法上指定方法权限,以覆盖在整个bean类上指定的方法权限值。以下批注用于指定方法权限:
- @DeclareRoles:指定应用程序将使用的所有角色,包括@RolesAllowed批注中未明确命名的角色。应用程序使用的安全角色集是@DeclareRoles和@RolesAllowed注释中定义的安全角色的总和
isCallerInRole(String roleName)
方法声明用作参数的角色名称时,声明的名称必须与参数值相同
以下示例代码演示了@DeclareRoles注释的使用:
@DeclareRoles("BusinessAdmin")
public class Calculator {
...
}
@DeclareRoles({"Administrator", "Manager", "Employee"})
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
...
}
}
import javax.annotation.security.*;
@RolesAllowed("RestrictedUsers")
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
//...
}
@PermitAll
public long convertCurrency(long amount) {
//...
}
}
import javax.annotation.security.*;
@RolesAllowed("Users")
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
//...
}
@DenyAll
public long convertCurrency(long amount) {
//...
}
}
@RolesAllowed("admin")
public class SomeClass {
public void aMethod () {...}
public void bMethod () {...}
...
}
@Stateless
public class MyBean extends SomeClass implements A {
@RolesAllowed("HR")
public void aMethod () {...}
public void cMethod () {...}
...
}
声明多个角色的语法如下例所示:
@DeclareRoles({"Administrator", "Manager", "Employee"})
- @RoleAllowed(“角色列表”):指定允许访问应用程序中方法的安全角色。可以在类或一个或多个方法上指定此注释。在类级别指定时,注释将应用于类中的所有方法。在方法上指定时,注释仅应用于该方法,并覆盖在类级别指定的任何值
@DeclareRoles("BusinessAdmin")
public class Calculator {
...
}
@DeclareRoles({"Administrator", "Manager", "Employee"})
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
...
}
}
import javax.annotation.security.*;
@RolesAllowed("RestrictedUsers")
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
//...
}
@PermitAll
public long convertCurrency(long amount) {
//...
}
}
import javax.annotation.security.*;
@RolesAllowed("Users")
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
//...
}
@DenyAll
public long convertCurrency(long amount) {
//...
}
}
@RolesAllowed("admin")
public class SomeClass {
public void aMethod () {...}
public void bMethod () {...}
...
}
@Stateless
public class MyBean extends SomeClass implements A {
@RolesAllowed("HR")
public void aMethod () {...}
public void cMethod () {...}
...
}
- @PermitAll:指定允许所有安全角色执行指定的方法。不会根据数据库检查用户,以确保他或她有权访问此应用程序
@DeclareRoles("BusinessAdmin")
public class Calculator {
...
}
@DeclareRoles({"Administrator", "Manager", "Employee"})
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
...
}
}
import javax.annotation.security.*;
@RolesAllowed("RestrictedUsers")
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
//...
}
@PermitAll
public long convertCurrency(long amount) {
//...
}
}
import javax.annotation.security.*;
@RolesAllowed("Users")
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
//...
}
@DenyAll
public long convertCurrency(long amount) {
//...
}
}
@RolesAllowed("admin")
public class SomeClass {
public void aMethod () {...}
public void bMethod () {...}
...
}
@Stateless
public class MyBean extends SomeClass implements A {
@RolesAllowed("HR")
public void aMethod () {...}
public void cMethod () {...}
...
}
- @DenyAll:指定不允许任何安全角色执行指定的一个或多个方法。这意味着这些方法被排除在JavaEE容器中的执行之外
@DeclareRoles("BusinessAdmin")
public class Calculator {
...
}
@DeclareRoles({"Administrator", "Manager", "Employee"})
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
...
}
}
import javax.annotation.security.*;
@RolesAllowed("RestrictedUsers")
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
//...
}
@PermitAll
public long convertCurrency(long amount) {
//...
}
}
import javax.annotation.security.*;
@RolesAllowed("Users")
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
//...
}
@DenyAll
public long convertCurrency(long amount) {
//...
}
}
@RolesAllowed("admin")
public class SomeClass {
public void aMethod () {...}
public void bMethod () {...}
...
}
@Stateless
public class MyBean extends SomeClass implements A {
@RolesAllowed("HR")
public void aMethod () {...}
public void cMethod () {...}
...
}
下面的代码片段演示了将@DeclareRoles注释与iscalerInRole方法结合使用。在本例中,@DeclareRoles注释声明了企业bean PayrollBean用于进行安全检查的角色,方法是使用isCallerRole(“工资单”)
验证调用方是否有权更改工资数据:
@DeclareRoles("payroll")
@Stateless
public class PayrollBean implements Payroll {
@Resource SessionContext ctx;
public void updateEmployeeInfo(EmplInfo info) {
oldInfo = ... read from database;
// The salary field can be changed only by callers
// who have the security role "payroll"
Principal callerPrincipal = ctx.getCallerPrincipal();
if (info.salary != oldInfo.salary && !ctx.isCallerInRole("payroll")) {
throw new SecurityException(...);
}
...
}
...
}
以下示例代码说明了@RolesAllowed注释的使用:
@DeclareRoles("BusinessAdmin")
public class Calculator {
...
}
@DeclareRoles({"Administrator", "Manager", "Employee"})
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
...
}
}
import javax.annotation.security.*;
@RolesAllowed("RestrictedUsers")
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
//...
}
@PermitAll
public long convertCurrency(long amount) {
//...
}
}
import javax.annotation.security.*;
@RolesAllowed("Users")
public class Calculator {
@RolesAllowed("Administrator")
public void setNewRate(int rate) {
//...
}
@DenyAll
public long convertCurrency(long amount) {
//...
}
}
@RolesAllowed("admin")
public class SomeClass {
public void aMethod () {...}
public void bMethod () {...}
...
}
@Stateless
public class MyBean extends SomeClass implements A {
@RolesAllowed("HR")
public void aMethod () {...}
public void cMethod () {...}
...
}
更多信息: