Wicket UI上的PicketBox EJB身份验证

Question

我正在使用EJB（在JBoss上）和Wicket作为UI层。我添加安全到我的EJB，我security.conf看起来是这样的：

<application-policy name="my-security-domain"> 
    <authentication> 
     <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> 
      <module-option name="usersProperties">META-INF/users.properties</module-option> 
      <module-option name="rolesProperties">META-INF/roles.properties</module-option> 
     </login-module> 
    </authentication> 
</application-policy> 

在UI层，我用作为PicketBox验证页面指示PicketBox验证：http://community.jboss.org/wiki/PicketBoxAuthentication#PicketBox_Authentication_in_a_JBoss_Application_Server_5_environment

我的检票AuthenticatedWebSession子类看起来是这样的：

private Subject subject; 
private SecurityContext securityContext; 

@Override 
public boolean authenticate(String username, 
          String password) 
{ 
    boolean authenticated = false; 
    securityContext = null; 
    SecurityFactory.prepare(); 

    try 
    { 
     String     securityDomainName = "my-security-domain"; 
     String     configFile   = "META-INF/security.conf"; 
     PicketBoxConfiguration idtrustConfig  = new PicketBoxConfiguration(); 
     idtrustConfig.load(configFile); 

     //Note: This is the most important line where you establish a security context 
     securityContext = SecurityFactory.establishSecurityContext(securityDomainName); 
     AuthenticationManager am = securityContext.getAuthenticationManager(); 
     subject = new Subject(); 

     Principal principal = new SimplePrincipal(username); 
     Object credential = new String(password); 
     authenticated = am.isValid(principal, credential, subject); 

     securityContext.getUtil().createSubjectInfo(principal, credential, subject); 
     //You may make call outs to other components here*/ 

     //DEBUG 
     for(Principal p : subject.getPrincipals()) 
     { 
      LOGGER.debug("Principal: " + p.getName()); 
      if(p instanceof Group) 
      { 
       Group       g  = (Group) p; 
       Enumeration<? extends Principal> members = g.members(); 
       while(members.hasMoreElements()) 
       { 
        Principal member = members.nextElement(); 
        LOGGER.debug("Group name: " + member.getName()); 
       } 
      } 
     } 
    } 
    catch(Exception e) 
    { 
     e.printStackTrace(); 
    } 

    return authenticated; 
} 

到目前为止好，我可以从UI的服务器进行身份验证。但是，从UI层的其他位置对安全EJB的任何后续调用都将以“无效用户”失败，尽管我已经通过了身份验证。

我已经在独立客户端测试了身份验证，并且工作正常，之后我可以调用安全的EJB。

我也试图通过这篇文章中列出的身份验证和用户界面仍然无法调用EJB的安全：http://iocanel.blogspot.com/2010/09/karafs-jaas-modules-in-action.html

任何帮助将不胜感激。

亲切的问候，

灵

Answer 1

MNIE的一位同事建议我看在Web层的安全配置。我用下面的配置解决它：

的jboss-web.xml中：

<jboss-web> 
    <security-domain>java:/jaas/my-security-domain</security-domain> 
</jboss-web> 

的web.xml：

<security-constraint> 
    <web-resource-collection> 
     <web-resource-name>My Resource</web-resource-name> 
     <url-pattern>/app/*</url-pattern> 
     <http-method>GET</http-method> 
     <http-method>POST</http-method> 
    </web-resource-collection> 
    <auth-constraint> 
     <role-name>*</role-name> 
    </auth-constraint> 
</security-constraint> 
<login-config> 
    <auth-method>FORM</auth-method> 
    <form-login-config> 
     <form-login-page>/login.html</form-login-page> 
     <form-error-page>/login-error.html</form-error-page> 
    </form-login-config> 
</login-config> 

谢谢大家。

Linh