java - 如何从 web.xml 检索权限

Question

我想知道是否有更好的方法(无需反射)来获取特定 URL 和角色的 java.security.Permissions 。

例如:

 boolean canAccess = SecurityController.isAllowedToAccessUrl("/pages/confirmOrders.action", Collections.singletonList(new UserPrincipal("Dave")));

适用于以下约束(web.xml):

<security-constraint>
 <web-resource-collection>
   <web-resource-name></web-resource-name>
   <url-pattern>/pages/confirmOrders.action</url-pattern>
 </web-resource-collection>
 <auth-constraint>
   <role-name>Dave</role-name>
 </auth-constraint>

我在下面编写的代码运行良好。我不喜欢的是我必须使用反射从 DelegatingPolicy.getInstance() 调用 getContextPolicy 并从 ContextPolicy 调用 getPermissionsForRole。

import org.jboss.security.jacc.ContextPolicy;
import org.jboss.security.jacc.DelegatingPolicy;

import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.Permissions;
import java.security.Principal;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;

public class SecurityController {
  private static final Logger LOG  = Logger.getLogger(SecurityController.class.getName());

  static boolean isAllowedToAccessUrl(final String url, final List<Principal> principalRoles) {
    initializeConfigurationInService();

    boolean result = false;
    for (Principal principalRole : principalRoles) {
      try{
        final ContextPolicy contextPolicy = getContextPolicy();
        final Permissions permissions = getPermissionsFromContextPolicy(contextPolicy, principalRole.getName());
        result |= permissions.implies(new WebResourcePermission(url, new String[] {"GET","POST"}));
      }catch (Exception e){
        LOG.log(Level.SEVERE, "checkAllowed failed checking if : ", e);
      }
    }
    return result;
  }

  private static void initializeConfigurationInService() {
    try {
      final PolicyConfigurationFactory policyConfigurationFactory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
      policyConfigurationFactory.getPolicyConfiguration(PolicyContext.getContextID(), false);
    } catch (PolicyContextException | ClassNotFoundException e) {
      LOG.log(Level.INFO, "initializeConfigurationInService", e);
    }
  }

  private static Permissions getPermissionsFromContextPolicy(ContextPolicy contextPolicy, String loginName) throws NoSuchMethodException, IllegalAccessException, InvocationTargetException {
    final Method getPermissionsForRole = contextPolicy.getClass().getDeclaredMethod("getPermissionsForRole", String.class);
    getPermissionsForRole.setAccessible(true);
    return (Permissions) getPermissionsForRole.invoke(contextPolicy, loginName);
  }


  private static ContextPolicy getContextPolicy() throws NoSuchMethodException, IllegalAccessException, InvocationTargetException {
    final DelegatingPolicy delegatingPolicy = DelegatingPolicy.getInstance();
    final Method getContextPolicy = delegatingPolicy.getClass().getDeclaredMethod("getContextPolicy", String.class);
    getContextPolicy.setAccessible(true);
    return (ContextPolicy) getContextPolicy.invoke(delegatingPolicy, PolicyContext.getContextID());
  }
}

我读到programmatically retrieve security constraints from web.xml但发现它不是很有用。

非常欢迎任何评论、想法。谢谢!

Answer 1

Java EE 8 中提供了执行“isAllowedToAccessUrl”函数的类似标准方法。

boolean hasAccessToWebResource(String resource, String... methods)

Checks whether the caller has access to the provided "web resource" using the given methods, as specified by section 13.8 of the Servlet specification. A caller has access if the web resource is either not protected (constrained), or when it is protected by a role and the caller is in that role.

参见:SecurityContext#hasAccessToWebResource