In "jee6 学习笔记 11", we explored the JAAS configuration for a JSF2.0 application with JBoss7.1, so far so good.
This article would explore the JAAS APIs that enable further control on application component. We are going to explore two topics: "Hiding the navigation urls from the web app menu" and "Control access to EJB methods".
1. Hiding menu items for users that have no access to them
Now that we secure the web application based on the security domain configured in JBoss and the roles we defined in our database. We want to hide menu items that user has no access to.
For instance, in our example, user "jason" only has role "usr" allocated to him, such that "jason" has no access to resources like "/student/*". Therefore, "jason" should not see menu items "Student" at all after he logged in.
To achieve this, we can use JAAS api which is made available by HttpServletRequest (Servlet3.0). We can actually use EL directly in the menu page as "rendered=#{request.isUserInRole('admin')}" :
<p:submenu label="#{msgs.student}"> <p:menuitem value="#{msgs.studentSearch}" url="/student/studentSearch.jsf" rendered="#{request.isUserInRole('admin')}" /> <p:menuitem value="#{msgs.studentNew}" url="/student/studentDetails.jsf" rendered="#{request.isUserInRole('admin')}"/> <p:separator/> <p:menuitem value="#{msgs.blah}" url="#"/> </p:submenu>
With this in place, "jason" would not see menu items that are not accessible. However, if he is naughty and figured out our url patterns, he still can manually enters the url in his browser. That's no problem, he'll get the no access error page, like this screen shot:
This is the Chinese version of it (-;
2. Control access to EJB methods
Here's the JAAS api to use for different context:
EJB | javax.ejb.EJBContext.isCallerInRole(role) |
Servlet | javax.servlet.http.HttpServletRequest.isUserInRole(role) |
Web Service | javax.xml.ws.WebServiceContext.isUserInRole(role) |
Access control to EJB methods can be achieved by using annotation @javax.annotation.security.RolesAllowed, But it's also necessary to let the EJB know our security domain, which was configured in JBoss. We need to use JBoss specific annotation to do this: @org.jboss.ejb3.annotation.SecurityDomain. This annotation can be found in JBoss ("C:\jboss-as-7.1.1\modules\org\jboss\ejb3\main") and you need to add it to your project class path for compilation.
Here's the test ejb "JaasEjbTest.java":
package test.jxee.ejb; import javax.annotation.PostConstruct; import javax.annotation.Resource; import javax.annotation.security.RolesAllowed; import javax.ejb.SessionContext; import javax.ejb.Stateless; import org.apache.log4j.Logger; import org.jboss.ejb3.annotation.SecurityDomain; @Stateless @SecurityDomain("jwSecureTest") // our security domain configured in JBoss public class JaasEjbTest { private static final Logger log = Logger.getLogger(JaasEjbTest.class); @Resource private SessionContext sc; // for testing only @PostConstruct public void init() { log.debug(">>> ejb post inited: " + this); } @RolesAllowed({"admin"}) // this method requires "admin" role to access public String getMessage() { boolean callerInRole = sc.isCallerInRole("admin"); // test JAAS api log.debug(">>> caller in role ? " + callerInRole); return "-- hello from JAAS ejb test --"; } }
Here's the backing bean:
package test.jxee.action; import java.io.Serializable; import javax.ejb.EJB; import javax.faces.bean.ManagedBean; import org.apache.log4j.Logger; import test.jxee.ejb.JaasEjbTest; @ManagedBean(name="jaasTest") public class JaasTestBean implements Serializable { private static final Logger log = Logger.getLogger(JaasTestBean.class); @EJB private JaasEjbTest jtest; public String getMsg() { try { return jtest.getMessage(); } catch(javax.ejb.EJBAccessException eae) { log.warn("### Unauthorized access to ejb: " + JaasEjbTest.class.toString()); } return "-- You have no access to the EJB --"; } }
Here's the jsf page:
<ui:composition xmlns="http://www.w3.org/1999/xhtml" xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:p="http://primefaces.org/ui" template="/template/template1.xhtml"> <ui:define name="title">Test JAAS</ui:define> <ui:define name="content"> <h:form> <p:panel header="JAAS api test on EJB method" toggleable="true" style="width:60%"> <h:panelGrid columns="1"> <h:outputText id="output" value="#{jaasTest.msg}" escape="false"/> </h:panelGrid> </p:panel> </h:form> </ui:define> </ui:composition>
Screen shot of the page, when user "j2ee"(roles: admin/usr) logged in and try to access the ejb:
Screen shot of the page, when user "jason"(roles: usr) logged in and try to access the ejb:
相关推荐
这篇"jee6 学习笔记 5 - Struggling with JSF2 binding GET params"主要探讨了开发者在使用JSF2绑定GET参数时可能遇到的挑战和解决方案。 JSF2是一个基于MVC(模型-视图-控制器)设计模式的Java框架,用于创建交互...
在Java企业版(Java EE)6中,`@Asynchronous`注解是一个非常重要的特性,它使得开发者可以方便地在应用程序中实现异步处理。这个注解是Java EE并发编程的一部分,主要应用于EJB(Enterprise JavaBeans)环境,用于...
NULL 博文链接:https://jxee.iteye.com/blog/1575432
2. **服务器端API**:用于创建REST服务端点,包括`Application`、`Component`、`Host`和`Router`等核心类。开发者可以自定义这些类来处理HTTP请求,实现业务逻辑。 3. **协议栈**:Restlet支持多种传输协议,如HTTP...
标题中的“JEE6 学习系列告一段落,uploaded zipped project after JAAS security”表明这是一个关于Java Enterprise Edition(JEE)6的项目,特别关注了Java Authentication and Authorization Service (JAAS)的...
### JEE企业应用笔记 #### 一、JSP与Servlet **JSP (Java Server Pages)** 和 **Servlet** 是Java Web开发中的两个核心组件。它们共同构建了动态Web应用程序的基础。 ##### JSP基本语法 在JSP页面中,可以通过...
JEE6(Java Platform, Enterprise Edition 6)是Java EE的第六个版本,它在Java EE 5的基础上对Java的企业级应用开发进行了进一步的优化和增强。JEE6不仅包括了Java EE 5的大多数特性,还引入了更多的新功能和技术,...
eclipse-jee-2021-12-R-win32-x86_64 eclipse-jee-2021-12-R-win32-x86_64 eclipse-jee-2021-12-R-win32-x86_64
《Eclipse JEE 2020-12 R 中文版:打造高效Java开发环境》 Eclipse JEE 2020-12 R 是一个强大的集成开发环境(IDE),专为Java企业级应用开发设计。这个版本是Eclipse的年度发布,集成了最新的技术和优化,旨在提供...
Restlet库提供了开发RESTful API所需的一系列组件和工具,使得开发者可以更方便地创建、部署和管理RESTful服务。在Apache Atlas中,Restlet可能被用来构建或集成RESTful接口,从而提供对数据管理和元数据服务的远程...
jee5 api 手册,查看jee api的相关内容
【JEE入门(深入浅出学习JEE)】 Java企业版(Java Enterprise Edition,简称JEE),也称为Java EE,是Oracle公司推出的企业级应用程序开发平台。它为开发分布式、多层架构的Web应用程序提供了全面的框架和服务。JEE...
"eclipse-jee-2020-12"是Eclipse针对Java企业版(Java EE)的一个特定版本,发布于2020年12月。这个版本包含了多项更新、改进和新特性,旨在提高开发者的工作效率和代码质量。 首先,Eclipse 2020-12 提供了对最新...
Eclipse JEE 2021-12 RC1 Win32 x86_64.zip 是一个针对Windows操作系统x86_64架构的Java EE开发环境的压缩包,包含了Eclipse IDE的最新版本,专门用于Java企业级应用的开发。这个版本是2021年12月发布的候选版本1...
《Eclipse IDE for Java开发者:深入解析eclipse-jee-2020-12-R-win32-x86_64》 Eclipse IDE,全称集成开发环境(Integrated Development Environment),是全球广泛使用的开源Java开发工具。该版本"eclipse-jee-...
标题 "jee-2018-12下附属插件.rar" 暗示这是一个针对Java Enterprise Edition (Java EE, 现在被称为Jakarta EE) 的2018年12月版本的插件集合。这个压缩包可能包含了一系列用于开发、调试或优化Java EE应用程序的工具...
API(Application Programming Interface)则是Java语言提供的接口集合,是开发者进行程序设计的重要参考。JDK 1.8是Java的一个重要版本,它引入了许多新的特性和功能,以增强开发者的生产力和代码质量。 1. **...
eclipse-jee-2023-12-R-win32-x86_64.zip 适用于Windows系统
标题 "eclipse_4.10-jee-2018-12-R-win32-x86_64" 指的是Eclipse IDE的一个特定版本,适用于Java企业版(Java Enterprise Edition,简称JEE)开发。这个版本是Eclipse 4.10,发布于2018年12月,代号为"Photon",并且...
Eclipse IDE for Enterprise Java and Web Developers (eclipse-jee-2021-12-R-win32-x86_64.zip)适用于Windwos x86_64