I want to access the full model of users with their roles in my SOAP app. For example, I might want to know the role of a user called "Fred."
我想在我的SOAP应用程序中访问其角色的完整用户模型。例如,我可能想知道名为“Fred”的用户的角色。
How do I reach into some sort of global JAAS registry and do (pseudocode) globalRegistry.getUser("Fred").getPrincipals()? (Note that in JAAS, a role is represented by a Principal.)
我如何进入某种全局JAAS注册表并执行(伪代码)globalRegistry.getUser(“Fred”)。getPrincipals()? (请注意,在JAAS中,角色由Principal表示。)
I know how to get the Principal of the Subject from the LoginContext, but that has two problems.
我知道如何从LoginContext获取Subject的Principal,但这有两个问题。
- It is only at the moment of login, and I'd prefer not to code the aforementioned registry and store the Subject and Principal objects myself, as they are already stored by the appserver.
- Preferably, I want to be able to access this information even when Fred is not the current user.
它只是在登录时,我不想编写前面提到的注册表并自己存储Subject和Principal对象,因为它们已经由appserver存储。
优选地,即使Fred不是当前用户,我也希望能够访问该信息。
I am using Jetty, but I presume that these behaviors are standard to JAAS.
我正在使用Jetty,但我认为这些行为是JAAS的标准。
5 个解决方案
#1
We use a ThreadLocal variable to reference the current user as has been authenticated at the system entrypoint (a servlet or ejb in our case). This allows 'global' access to the current user. This is not directly tied to JAAS or any other security protocol, but can be initialized from them.
我们使用ThreadLocal变量来引用当前用户,因为已经在系统入口点(在我们的例子中是servlet或ejb)进行了身份验证。这允许“全局”访问当前用户。这与JAAS或任何其他安全协议没有直接关系,但可以从它们初始化。
EDIT: The return from the ThreadLocal is the Subject for the current user.
编辑:ThreadLocal的返回是当前用户的主题。
Accessing other users would typically be done via some type of admin module.
通常通过某种类型的管理模块来访问其他用户。
#2
A pattern i have seen is:
我见过的模式是:
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
Set<Principal> principals = subject.getPrincipals();
Essentially, this finds the subject currently associated with the current thread, and asks for its principals.
从本质上讲,它会找到当前与当前线程关联的主题,并询问其主体。
One example of the use of this is in Apache Jackrabbit's RepositoryImpl. It's in the extendAuthentication method, whose job is to determine what Jackrabbit rights the current thread has when creating a new session (i think).
使用它的一个例子是Apache Jackrabbit的RepositoryImpl。它位于extendAuthentication方法中,其作用是确定当前线程在创建新会话时具有的Jackrabbit权限(我认为)。
However, i should note that this may not necessarily actually work, at least in J2EE contexts. I'm using this code under JBoss AS7, and it doesn't find a subject. That might just be a bug, though.
但是,我应该注意到,这可能不一定有效,至少在J2EE上下文中是这样。我在JBoss AS7下使用此代码,但它没有找到主题。但这可能只是一个错误。
#3
To me, it seems this mizes appsever's users, groups etc. with J2EE application roles.
对我而言,似乎这会使应用程序的用户,组等具有J2EE应用程序角色。
- Getting permissions of a certaion user is a administration task and usually has to be accomplished using appserver-specific APIs.
- JAAS programming model works on higher level of abstratcion. It only provides the information whether a user is in a J2EE role (defined within the application)
获取certaion用户的权限是一项管理任务,通常必须使用特定于应用程序服务器的API来完成。
JAAS编程模型适用于更高层次的抽象。它仅提供用户是否处于J2EE角色(在应用程序中定义)的信息
#4
I believe that JAAS was designed to not really allow what you are trying to do. I know in the apps I've built that I needed that sort of functionality I had to side-step JAAS and program directly to whatever the actual identity repository was, be it LDAP, ActiveDirectory or whatever.
我相信JAAS的目的并不是真正允许你尝试做的事情。我知道在我构建的应用程序中,我需要这种功能,我必须支持JAAS并直接编程到实际的身份存储库,无论是LDAP,ActiveDirectory还是其他任何东西。
#5
In a EJB use
在EJB中使用
@Resource(mappedName = "java:comp/EJBContext")
protected SessionContext sessionContext;
And try with context.lookup("java:comp/EJBContext") at any point.
并在任何时候尝试使用context.lookup(“java:comp / EJBContext”)。
This code is for JBoss server family, for others look in their JNDI to find it.
这段代码适用于JBoss服务器系列,供其他人查看其JNDI以查找它。
#1
We use a ThreadLocal variable to reference the current user as has been authenticated at the system entrypoint (a servlet or ejb in our case). This allows 'global' access to the current user. This is not directly tied to JAAS or any other security protocol, but can be initialized from them.
我们使用ThreadLocal变量来引用当前用户,因为已经在系统入口点(在我们的例子中是servlet或ejb)进行了身份验证。这允许“全局”访问当前用户。这与JAAS或任何其他安全协议没有直接关系,但可以从它们初始化。
EDIT: The return from the ThreadLocal is the Subject for the current user.
编辑:ThreadLocal的返回是当前用户的主题。
Accessing other users would typically be done via some type of admin module.
通常通过某种类型的管理模块来访问其他用户。
#2
A pattern i have seen is:
我见过的模式是:
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
Set<Principal> principals = subject.getPrincipals();
Essentially, this finds the subject currently associated with the current thread, and asks for its principals.
从本质上讲,它会找到当前与当前线程关联的主题,并询问其主体。
One example of the use of this is in Apache Jackrabbit's RepositoryImpl. It's in the extendAuthentication method, whose job is to determine what Jackrabbit rights the current thread has when creating a new session (i think).
使用它的一个例子是Apache Jackrabbit的RepositoryImpl。它位于extendAuthentication方法中,其作用是确定当前线程在创建新会话时具有的Jackrabbit权限(我认为)。
However, i should note that this may not necessarily actually work, at least in J2EE contexts. I'm using this code under JBoss AS7, and it doesn't find a subject. That might just be a bug, though.
但是,我应该注意到,这可能不一定有效,至少在J2EE上下文中是这样。我在JBoss AS7下使用此代码,但它没有找到主题。但这可能只是一个错误。
#3
To me, it seems this mizes appsever's users, groups etc. with J2EE application roles.
对我而言,似乎这会使应用程序的用户,组等具有J2EE应用程序角色。
- Getting permissions of a certaion user is a administration task and usually has to be accomplished using appserver-specific APIs.
- JAAS programming model works on higher level of abstratcion. It only provides the information whether a user is in a J2EE role (defined within the application)
获取certaion用户的权限是一项管理任务,通常必须使用特定于应用程序服务器的API来完成。
JAAS编程模型适用于更高层次的抽象。它仅提供用户是否处于J2EE角色(在应用程序中定义)的信息
#4
I believe that JAAS was designed to not really allow what you are trying to do. I know in the apps I've built that I needed that sort of functionality I had to side-step JAAS and program directly to whatever the actual identity repository was, be it LDAP, ActiveDirectory or whatever.
我相信JAAS的目的并不是真正允许你尝试做的事情。我知道在我构建的应用程序中,我需要这种功能,我必须支持JAAS并直接编程到实际的身份存储库,无论是LDAP,ActiveDirectory还是其他任何东西。
#5
In a EJB use
在EJB中使用
@Resource(mappedName = "java:comp/EJBContext")
protected SessionContext sessionContext;
And try with context.lookup("java:comp/EJBContext") at any point.
并在任何时候尝试使用context.lookup(“java:comp / EJBContext”)。
This code is for JBoss server family, for others look in their JNDI to find it.
这段代码适用于JBoss服务器系列,供其他人查看其JNDI以查找它。