java Glassfish 3.1 默认主体到角色映射
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6728164/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Glassfish 3.1 default principal to role mapping
提问by user789148
I am working with glassfish and jaas module.
我正在使用 glassfish 和 jaas 模块。
I configured my web.xml in this way.
我以这种方式配置了我的 web.xml。
<security-constraint>
<web-resource-collection>
<web-resource-name>ALL Page for admin</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>file</realm-name>
</login-config>
<security-role>
<description>Administrator</description>
<role-name>user</role-name>
</security-role>
It means all user that want to access my web application need be of the group user.
这意味着所有想要访问我的 Web 应用程序的用户都需要属于组用户。
Then on the glassfish console I need to tick the options in: Configuration -> server-config -> security -> Default Principal To Role Mapping
然后在 glassfish 控制台上,我需要勾选以下选项:配置 -> 服务器配置 -> 安全性 -> 默认主体到角色映射
My question is why I need to tick this Default Principal to Role Mapping ? And how I can change my web.xml to avoid to tick it ?
我的问题是为什么我需要勾选这个 Default Principal to Role Mapping ?以及如何更改我的 web.xml 以避免勾选它?
Thanks a lot
非常感谢
Loic
洛伊克
回答by Vineet Reynolds
When you specify the roles and roles in web.xmlyou are using declarative security, which essentially relies on the use of JAAS to enforce authentication and authorization requirements specified declaratively.
当您指定角色和角色时,web.xml您使用的是声明式安全性,这实质上依赖于使用 JAAS 来强制执行声明式指定的身份验证和授权要求。
The roles specified in the deployment descriptors are merely representations of the roles that are used in the application. These roles need not be the same as the ones present in the user-identity database (or authentication realm) used at runtime, and usually these might be different, for development of the application may have been undertaken without any regard to the actual users and groups present in the user-identity database.
部署描述符中指定的角色只是应用程序中使用的角色的表示。这些角色不必与运行时使用的用户身份数据库(或身份验证领域)中的角色相同,通常这些角色可能不同,因为应用程序的开发可能在不考虑实际用户的情况下进行存在于用户身份数据库中的组。
Typically a mapping is performed between the declarative roles specified in web.xmland the principals or groups present in the user-identity database using the container specific deployment descriptors. In Glassfish 3,1, this happens to be the glassfish-web.xmlfile. Each such mapping would map a declarative role in the application, to either a principal or a group in a JAAS realm, in the following manner in either glassfish-web.xml(for WAR file deployments) or glassfish-application.xml(for EAR file deployments), or glassfish-ejb-jar.xml(for EJB JAR file deployments):
通常,web.xml使用容器特定的部署描述符在 中指定的声明性角色和用户身份数据库中存在的主体或组之间执行映射。在 Glassfish 3,1 中,这恰好是glassfish-web.xml文件。每个这样的映射都将应用程序中的声明性角色映射到 JAAS 领域中的主体或组,以下列方式glassfish-web.xml(对于 WAR 文件部署)或glassfish-application.xml(对于 EAR 文件部署),或glassfish-ejb-jar.xml(对于 EJB JAR 文件部署):
glassfish-web.xml
glassfish-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
...
<security-role-mapping>
<role-name>user</role-name>
<principal-name>Root</principal-name> <!-- Map a principal to the role 'user' -->
<group-name>Administrators</group-name> <!-- Map a group to the role 'user' -->
</security-role-mapping>
...
</glassfish-web-app>
glassfish-application.xml
glassfish-application.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-application PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Java EE Application 6.0//EN" "http://glassfish.org/dtds/glassfish-application_6_0-1.dtd">
<glassfish-application>
...
<security-role-mapping>
<role-name>user</role-name>
<principal-name>Root</principal-name> <!-- Map a principal to the role 'user' -->
<group-name>Administrators</group-name> <!-- Map a group to the role 'user' -->
</security-role-mapping>
...
</glassfish-application>
glassfish-ejb-jar.xml
glassfish-ejb-jar.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-ejb-jar PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 EJB 3.1//EN" "http://glassfish.org/dtds/glassfish-ejb-jar_3_1-1.dtd">
<glassfish-ejb-jar>
...
<security-role-mapping>
<role-name>user</role-name>
<principal-name>Root</principal-name> <!-- Map a principal to the role 'user' -->
<group-name>Administrators</group-name> <!-- Map a group to the role 'user' -->
</security-role-mapping>
...
</glassfish-ejb-jar>
The above descriptors map a role userto a Principal with individual identity of name Rootand to a user group with name Administratorsin the realm. You can omit either of these mappings, and retain only a role to principal mapping, or a role to group mapping. You may also have multiple principals mapped to the same role, or multiple groups mapped to the same role, or even multiple principals and groups mapped to the same role.
上述描述符将角色映射user到具有名称的个人身份的主体和域中具有名称Root的用户组Administrators。您可以省略这些映射中的任何一个,并且只保留一个角色到主体的映射,或者一个角色到组的映射。您还可以将多个主体映射到同一角色,或将多个组映射到同一角色,甚至将多个主体和组映射到同一角色。
It is important to understand the concept of principals and groups in JAAS realms - a principal represents the identity of a Subject (the user logging into the application) in the system, and it could be an individual identity (a single user) or a group identity (a user group). By mapping the declarative roles to the actual principals or groups, one would be able to enforce rules specified in the web.xmlagainst any user-identity database (i.e. any realm), and be able to do so dynamically without any changes in the codebase; after all, such a change would require re-mapping the declarative roles to the new set of principals and groups, in a possibly different realm. You can find a basic tutorial on how Java EE security and JAAS work together in the chapter on security in the Java EE 6 tutorial.
理解 JAAS 领域中主体和组的概念很重要——主体代表系统中主体(登录应用程序的用户)的身份,它可以是个人身份(单个用户)或组身份(用户组)。通过将声明性角色映射到实际的主体或组,人们将能够web.xml针对任何用户身份数据库(即任何领域)强制执行 中指定的规则,并且能够在不更改代码库的情况下动态执行此操作;毕竟,这种更改需要在可能不同的领域将声明性角色重新映射到新的主体和组集。您可以在 Java EE 6 教程的安全性一章中找到有关 Java EE 安全性和 JAAS 如何协同工作的基本教程。
Glassfish allows for a simplified mapping scheme, where it is not necessary to perform the mapping for all declarative roles in the container-specific deployment descriptor (in this case glassfish-web.xml), as long as the names of the declarative roles happen to be similar to the names of the principals or groups. This is the default principal to role mapping scheme. It appears that in your case, the principals/groups in your realm are the same as the declarative roles specified in web.xml, and hence you would avoid mapping the roles to principals and groups explicitly. In simpler words, if the role useris the same as a principal useror a usergroup userin your JAAS realm (and similarly for other identities), then you can use the default role to principal mapping scheme of Glassfish, without mapping this for every role in your web.xmlfile.
Glassfish 允许简化的映射方案,只要声明性角色的名称碰巧在容器特定的部署描述符(在本例中为 glassfish-web.xml)中,就没有必要为所有声明性角色执行映射与主体或组的名称相似。这是角色映射方案的默认主体。在您的情况下,您领域中的主体/组似乎与 中指定的声明性角色相同web.xml,因此您将避免将角色显式映射到主体和组。简单来说,如果角色user与主体user或用户组相同user在您的 JAAS 领域(对于其他身份类似),那么您可以使用默认角色到 Glassfish 的主体映射方案,而无需为web.xml文件中的每个角色映射此方案。
If you wish to avoid ticking the deployment option of default principal to role mapping, then you must provide the role to principal/group mapping yourself in the container specific deployment descriptors, as you would normally do for other application servers.
如果您希望避免勾选默认主体到角色映射的部署选项,那么您必须在容器特定的部署描述符中自己提供角色到主体/组的映射,就像您通常为其他应用程序服务器所做的那样。
You could read more about this topic in one of the posts on blogs.oracle.com that describes this feature of Glassfish.
您可以在 blogs.oracle.com 上描述 Glassfish 的此功能的一篇博文中阅读有关此主题的更多信息。
