对于不在角色ADMIN中但不在角色USER中的用户,request.isUserInRole(“ADMIN”)也返回true

时间:2009-12-28 10:42:13

标签: security servlets glassfish security-roles jsecurity

我目前正在尝试使用Glasshfish v3中的JDBCRealm: 我有2个角色USER和ADMIN。

我有一个LoginServlet,它根据request.isUserInRole(“ADMIN”)方法重定向到url(例如/ admin或/ user)。

问题是当登录ADMIN时它返回true,因此被重定向到/ admin但他也可以访问/ user。当USER登录时,request.isUserInRole(“ADMIN”)也返回true。 request.isUserInRole(“NONEXISTINGROLE”)为两者返回false。

例如:

  

request.isUserInRole(“ADMIN”)+“”+   request.isUserInRole(“USER”)+“”+   request.isUserInRole( “NONEXISTINGROLE”)

     对于loggedin USER

:返回true true false

     对于loggedin ADMIN,

返回true   真假

这是我的web.xml的一部分:

<security-constraint>
    <display-name>Constraint1</display-name>
    <web-resource-collection>
        <web-resource-name>adminProtected</web-resource-name>
        <description>Administrator restricted area</description>
        <url-pattern>/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ADMIN</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>Constraint2</display-name>
    <web-resource-collection>
        <web-resource-name>userProtected</web-resource-name>
        <description>User restricted area</description>
        <url-pattern>/user/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>USER</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>Constraint3</display-name>
    <web-resource-collection>
        <web-resource-name>LoginServlet</web-resource-name>
        <description>All restricted area</description>
        <url-pattern>/LoginServlet</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>USER</role-name>
        <role-name>ADMIN</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>securityJDBC</realm-name>
    <form-login-config>
        <form-login-page>/login.jsf</form-login-page>
        <form-error-page>/login.jsf</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <description></description>

    <role-name>USER</role-name>
</security-role>
<security-role>
    <description></description>
    <role-name>ADMIN</role-name>
</security-role>
<servlet>
    <description></description>
    <display-name>LoginServlet</display-name>
    <servlet-name>LoginServlet</servlet-name>
    <servlet-class>controllers.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>LoginServlet</servlet-name>
    <url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>

我的sun-web.xml:

    <security-role-mapping>
    <role-name>USER</role-name>
    <group-name>USER</group-name>
</security-role-mapping>
<security-role-mapping>
    <role-name>ADMIN</role-name>
    <group-name>ADMIN</group-name>
</security-role-mapping>

谢谢!

2 个答案:

答案 0 :(得分:2)

通过确保Realm设置“Assign Groups”为空来修复它。 Glassfish将从Group Table中加载它们。

答案 1 :(得分:0)

乍一看,您的安全映射看起来很好。你的用户映射怎么样?看起来用户名和管理员角色都映射了相同的用户名。

相关问题
最新问题