问题描述
这不是一个简单的问题,只是因为我正在重新考虑通过登录和安全性保护EJB 3.0服务的体系结构.
This is not a simple question its just because i'm rethinking our architecture for securing our EJB 3.0 service by a login and security.
我们在JBoss 5.1上有一个EJB3.0应用程序,它为SWT客户端提供各种服务以读取和写入数据.要使用服务,客户端必须使用有效的用户名和密码登录,该用户名和密码由LDAP服务器中的SpringSecurity查找. SpringSecurity会生成一个会话ID,该会话ID会传递回客户端,以便在以后的任何服务调用中重新使用.
We have a EJB3.0 application on JBoss 5.1 that offers various services to a SWT client to read and write data. To use a service, the client must login with a valid user and password which is looked up by SpringSecurity in a LDAP server. SpringSecurity generates a session id which is passed back to the client to be resused in any further service call.
client server
| |
|-> login(user/password)-------->|
| |
| <------- sessionId ------------|
| |
|-->serviceXy(sessionId,param1)->|
情况似乎很清楚.我们将sessionId存储在我们自己的上下文对象中,该对象是每个服务方法的第一个参数.每个服务方法上都有一个拦截器,该拦截器从给定的上下文对象中读取sessionId并检查该会话是否仍然有效.客户端需要首先调用登录服务,以获取一个充满sessionId的上下文对象,并在以后的服务调用中重新使用该上下文对象.
The situation seems clear. We store the sessionId in our own context object which is the first parameter of each service method. There is an interceptor on each service method which reads the sessionId from the given context object and checks if the session is still valid. The client needs to call the login service first to get a context object filled with the sessionId and reusue this context object in further service calls.
public class OurContext {
private String sessionId;
}
@Stateless
@Interceptors(SecurityInterceptor.class)
public OurServiceImpl implements OurService {
public void doSomething(OurContext context, String param1) {
[...]
}
}
在此解决方案中,我不喜欢的是每种带有上下文参数的服务方法的污染.是否没有类似的机制,例如rmi调用中的http会话?我正在考虑将上下文对象放在登录后立即在client(?)中创建的某种会话中,并在每次服务调用时传递给服务器,以便SecurityInterceptor可以从此魔术上下文"中读取sessionId .
The thing i don't like at this solution is the polution of each service method with the context parameter.Isn't there a similar mechanism like a http session in rmi calls? I'm thinking of putting our context object in some kind of session that is created in the client(?) right after the login and is passed to the server on each service call so that the SecurityInterceptor can read the sessionId from this "magic context".
类似这样的东西:
OurContext ctx = service.login("user","password");
Magical(Jboss)Session.put("securContext", ctx);
service.doSomething("just the string param");
推荐答案
由于您已经在使用应用程序服务器,因此您似乎应该使用内置的EJB安全机制,该机制通常是通过JAAS提供的.在4.x jboss行中,如果为jboss实现了自己的JAAS插件,则可以访问在远程请求(通过jboss远程调用框架)上传递的特殊"上下文映射(类似于您描述的内容). ).我已经有一段时间没有使用jboss了,所以不确定该如何映射到5.1产品,但是我不得不想象它具有类似的功能.当然,这是假设您愿意实现特定于jboss的东西.
Since you are already using an app server, it seems that you should be using the built-in EJB security mechanisms, generally provided through JAAS. On the 4.x jboss line, if you implemented your own JAAS plugin for jboss, you could get access to a "special" context map (similar to what you describe) which is passed along on remote requests (by the jboss remote invocation framework). I haven't used jboss in a while, so not sure how this maps to the 5.1 product, but i have to imagine it has similar facilities. This assumes, of course, that you are willing to implement something jboss specific.
这篇关于RMI ejb调用中可重用登录会话的概念的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!