项目中用到了EJB 3 web service, 生产环境上都是有安全认证的,常见的认证有2中,一种是数据库认证,另外一种是LDAP认证。这篇文章主要讲述的是LDAP认证,使用的LDAP是openLDAP windows版本。
准备条件:
1. 服务器: JBoss 6 (自行下载)
2. LDAP: Open LDAP for windows (参考网络,很多文档)
3. Maven 依赖:jboss-ejb3-ext-api, jboss-ejb-api, jboss-as-system-jmx
LDAP 配置
1. 依照网络上的通用例子新建一个xx.ldif文件,密码就设置成admin或者其他的,
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example
dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
2. 添加2个ou(Users, Roles):
dn: ou=Users,dc=example,dc=com
objectclass: organizationalRole
objectclass: top
dn: ou=Roles,dc=example,dc=com
objectclass: organizationalRole
objectclass: top
3. 添加1个测试用户和1个测试角色
dn: uid=tester,ou=Users,dc=example,dc=com
objectclass: top
objectclass: inetOrgPerson
objectclass: person
uid: tester
cn: tester
sn: tester
userPassword:1
dn: cn=test,ou=Users,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: test
description: testgroup
member: uid=tester,ou=Users,dc=example,dc=com
注意:objectClass一定要匹配,不要弄错了。
再添加一个普通用户,不要加入到test组中,
dn: uid=tester2,ou=Users,dc=example,dc=com
objectclass: top
objectclass: inetOrgPerson
objectclass: person
uid: tester
cn: tester
sn: tester
userPassword:1
配置JBoss login config xml
1. 打开jboss-6\server\default\conf\login-config.xml, 在 <application-policy name="other">之前添加一段:
<application-policy name="sd"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="java.naming.provider.url">ldap://example.com:389</module-option> <module-option name="bindDN">cn=Manager,dc=example,dc=com</module-option> <module-option name="bindCredential">admin</module-option> <module-option name="baseCtxDN">ou=Users,dc=example,dc=com</module-option> <module-option name="baseFilter">(uid={0})</module-option> <module-option name="rolesCtxDN">ou=roles,dc=example,dc=com</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeID">cn</module-option> </login-module> </authentication> </application-policy>
新建MAVEN项目
项目名:securityTest
pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.javaeye.ejb</groupId>
<artifactId>securityTest</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>ejb</packaging>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>org.jboss.ejb3</groupId>
<artifactId>jboss-ejb3-ext-api</artifactId>
<version>1.1.1</version>
</dependency>
<dependency>
<groupId>org.jboss.javaee</groupId>
<artifactId>jboss-ejb-api</artifactId>
<version>3.0.0.CR1</version>
</dependency>
<dependency>
<groupId>org.jboss.jbossas</groupId>
<artifactId>jboss-as-system-jmx</artifactId>
<version>6.0.0.M1</version>
</dependency>
</dependencies>
<build>
<finalName>securityTest</finalName>
<resources>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
</resource>
</resources>
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.3.2</version>
<configuration>
<source>1.6</source>
<target>1.6</target>
<encoding>utf8</encoding>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-ejb-plugin</artifactId>
<version>2.3</version>
<configuration>
<ejbVersion>3.0</ejbVersion>
</configuration>
</plugin>
</plugins>
</build>
</project>
Service Interface:
package com.javaeye.test;
import javax.jws.WebService;
import javax.jws.soap.SOAPBinding;
@WebService(targetNamespace = "http://www.javaeye.com/test/", name = "test")
@SOAPBinding(parameterStyle = SOAPBinding.ParameterStyle.BARE)
public interface Test {
public String process(String parameters);
}
Service Impl
package com.javaeye.ejb;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Stateless;
import javax.jws.WebService;
import org.jboss.ejb3.annotation.SecurityDomain;
import org.jboss.wsf.spi.annotation.WebContext;
import com.javaeye.test.Test;
@Stateless
@WebService(serviceName = "Test", endpointInterface = "com.javaeye.test.Test", targetNamespace = "http://www.javaeye.com/test/")
@WebContext(contextRoot = "securityTest", urlPattern = "/test", authMethod = "BASIC", secureWSDLAccess = true)
@SecurityDomain("sd")
public class SecurityTestService implements Test{
@RolesAllowed({ "test" })
public String process(String parameters) {
return "Hello, " + parameters;
}
}
Service 很简单,就是一个hello + input。
执行 mvn clean install, 在target会生成一个jar包,把架包丢到jboss deploy目录下,启动jboss, 可以看到service注册成功:
15:31:41,069 INFO [org.jboss.wsf.stack.cxf.metadata.MetadataBuilder] Add Service
id=SecurityTestService
address=http://localhost:9000/securityTest/test
implementor=com.javaeye.ejb.SecurityTestService
invoker=org.jboss.wsf.stack.cxf.InvokerEJB3
serviceName={http://www.javaeye.com/test/}Test
portName={http://www.javaeye.com/test/}SecurityTestServicePort
wsdlLocation=null
mtomEnabled=false
通过soup ui新建一个project, wsdl:http://localhost:9000/securityTest/test?wsdl
回车后要求输入用户和密码,则填入:tester/1,回车后打开项目,双击process方法下面的Request 1
Input:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:test="http://www.javaeye.com/test/"> <soapenv:Header/> <soapenv:Body> <test:process>aaa</test:process> </soapenv:Body> </soapenv:Envelope>
case 1: 在SOAP UI Reuest Property里面设置Username=tester, Password=1, (正确的用户,有正确的权限)然后执行方法,将返回
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <processResponse xmlns="http://www.javaeye.com/test/">Hello, aaa</processResponse> </soap:Body> </soap:Envelope>
case 2: 在SOAP UI Reuest Property里面设置Username=tester, Password=12, (错误的用户密码)然后执行方法,将返回
<html><head><title>JBoss Web/3.0.0-CR1 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication ().</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/3.0.0-CR1</h3></body></html>
case 3: 在SOAP UI Reuest Property里面设置Username=tester2, Password=1, (正确的用户,没有权限)然后执行方法,将返回
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>Caller unauthorized</faultstring> </soap:Fault> </soap:Body> </soap:Envelope>
至此,测试完毕。谢谢阅读!