Use Java EE's Serverauthmodule module and Web. XML to configure the user's rights control

Tag: Text otherwise start logger less LDB IPA exception resource

Serverauthmodule here does not elaborate, can own Baidu.

Focus on the notes:

 <!--to divide the role of Web-app -    <Security-role>        <Role-name>Spx.main</Role-name>    </Security-role>    <Security-role>        <Role-name>Spx.user</Role-name>    </Security-role>    <!--only configuration security-constraint will be Serverauthmodule module. -    <Security-constraint>        <web-resource-collection>            <!--This name is mandatory, custom, used by tools, not used elsewhere -            <Web-resource-name>All</Web-resource-name>            <!--specify the resources to be constrained, at least one. Can have more than one.  -            <Url-pattern>/*</Url-pattern>            <!--specifies a constrained method if there is no  -            <Http-method>POST</Http-method>        </web-resource-collection>        <!--Auth-constraint as an optional -        <!--If no <auth-constraint> indicates that all roles have access to the Post method, if it is <auth-constraint/> means that no role can access the Post method -        <Auth-constraint>            <!--Optional. Indicates which roles can invoke a constrained method on a specified resource. This means that only the person with the Spx.user role can access the Post method role with <role-name> corresponding to the above <security-role> -            <Role-name>Spx.user</Role-name>        </Auth-constraint>    </Security-constraint>

Import the SAM module's jar package into the project, make the project into a war package, put it into a Java EE container, start the service, and implement a URL-level permission control.

Assuming that the above verification has entered into the Verifyauthmoduleservlet Dopost method,

You can add the following in the Dopost

UserInfo UserInfo = (UserInfo) req.getuserprincipal ();

To obtain the user information.

You can also add the following to determine if the user has another role:

if (Req.isuserinrole ("Spx.admin")) {            res.setstatus ();            Res.getwriter (). print (hello);             return ; }

Note: "Spx.admin" must be one of the roles that the web-app divides, otherwise it's always false

Method-level permission judgments in EJBS

such as the following stateless session bean

@Stateless Public classHelloworldbeanImplementshelloworldlocal {PrivateLogger Logger = Logger.getlogger (Helloworldbean.class. GetName ()); @EJB//Use annotation method    PrivateOther ; @ResourcePrivateSessioncontext Sessioncontext; @RolesAllowed ("Spx.user")     Publicstring SayHello (string name) {Principal Principal=Sessioncontext.getcallerprincipal (); Logger.info ("==========ejb=============" +principal.getname ()); returnName+ "said: Hello World! "+Other.sayme (); }}

@RolesAllowed determine whether the requested user has this permission, and if they have permission, they can enter the method body, and do not have the ejbaccessexception exception thrown.

Try {             = Helloworldlocal.sayhello ("Jiangmeng");} Catch (ejbaccessexception e) {            res.setstatus (403);            Res.getwriter (). Write ("{\" err\ ": \" 403 forbidden\ "}"); }

We can give the client the appropriate hint by capturing the exception.

And we noticed that the above can be sessioncontext through the EJB . Getcallerprincipal () to get the user information.

Use Java EE's Serverauthmodule module and Web. XML to configure the user's rights control