红帽全球峰会2.2. 使用 Elytron 传播和转发身份
2.2.1. 为远程调用传播安全标识符
复制链接链接已复制到粘贴板!
JBoss EAP 7.1 引入了轻松配置服务器和应用,从而将安全身份从客户端传播到服务器以进行远程调用。您还可以将服务器组件配置为在给定用户的安全身份中运行。
本节中的示例演示了如何转发安全身份凭据。它将客户端和 EJB 的安全身份传播到远程 EJB。它返回一个字符串,其中包含名为远程 EJB 的 Principal 的名称,以及用户的授权角色信息。该示例由以下组件组成:
- 个安全的 EJB,它包含一个可由所有用户访问的方法,它将返回有关调用者的授权信息。
- 包含单一方法的中间 EJB。它利用远程连接,并在受保护的 EJB 上调用方法。
- 调用中间 EJB 的远程独立客户端应用。
-
META-INF/wildfly-config.xml文件,其中包含用于身份验证的身份信息。
您必须首先通过配置服务器来启用安全身份传播。接下来 查看使用 WildFlyInitialContextFactory 查找和调用远程 EJB 的示例应用代码。
配置服务器以进行安全传播
配置
ejb3子系统,以使用 ElytronApplicationDomain。/subsystem=ejb3/application-security-domain=quickstart-domain:add(security-domain=ApplicationDomain)这会将以下
application-security-domain配置添加到ejb3子系统:<subsystem xmlns="urn:jboss:domain:ejb3:5.0"> .... <application-security-domains> <application-security-domain name="quickstart-domain" security-domain="ApplicationDomain"/> </application-security-domains> </subsystem>添加
PLAIN身份验证配置,以发送纯文本用户名和密码,以及用于出站连接的身份验证上下文。有关支持身份传播的机制列表,请参阅支持安全身份传播的机制。/subsystem=elytron/authentication-configuration=ejb-outbound-configuration:add(security-domain=ApplicationDomain,sasl-mechanism-selector="PLAIN") /subsystem=elytron/authentication-context=ejb-outbound-context:add(match-rules=[{authentication-configuration=ejb-outbound-configuration}])这会将下列
authentication-client配置添加到elytron子系统:<subsystem xmlns="urn:wildfly:elytron:4.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto"> <authentication-client> <authentication-configuration name="ejb-outbound-configuration" security-domain="ApplicationDomain" sasl-mechanism-selector="PLAIN"/> <authentication-context name="ejb-outbound-context"> <match-rule authentication-configuration="ejb-outbound-configuration"/> </authentication-context> </authentication-client> .... </subsystem>将远程目的地出站套接字绑定到
standard-sockets套接字绑定。/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ejb-outbound:add(host=localhost,port=8080)这会将以下
ejb-outbound出站套接字绑定添加到standard-sockets套接字绑定组中。<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> .... <outbound-socket-binding name="ejb-outbound"> <remote-destination host="localhost" port="8080"/> </outbound-socket-binding> </socket-binding-group>添加远程出站连接,并在 HTTP 连接器中设置 SASL 身份验证工厂。
/subsystem=remoting/remote-outbound-connection=ejb-outbound-connection:add(outbound-socket-binding-ref=ejb-outbound, authentication-context=ejb-outbound-context) /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory,value=application-sasl-authentication)这会将以下
http-remoting-connector和ejb-outbound-connection配置添加到远程子系统:<subsystem xmlns="urn:jboss:domain:remoting:4.0"> .... <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm" sasl-authentication-factory="application-sasl-authentication"/> <outbound-connections> <remote-outbound-connection name="ejb-outbound-connection" outbound-socket-binding-ref="ejb-outbound" authentication-context="ejb-outbound-context"/> </outbound-connections> </subsystem>将 Elytron SASL 身份验证配置为使用
PLAIN机制。/subsystem=elytron/sasl-authentication-factory=application-sasl-authentication:write-attribute(name=mechanism-configurations,value=[{mechanism-name=PLAIN},{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=ApplicationRealm}]}])这会将以下
application-sasl-authentication配置添加到elytron子系统:<subsystem xmlns="urn:wildfly:elytron:4.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto"> .... <sasl> .... <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain"> <mechanism-configuration> <mechanism mechanism-name="PLAIN"/> <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/> <mechanism mechanism-name="DIGEST-MD5"> <mechanism-realm realm-name="ApplicationRealm"/> </mechanism> </mechanism-configuration> </sasl-authentication-factory> </sasl> .... </subsystem>
服务器现在已配置为为以下示例应用启用安全传播:
查看传播安全身份的应用程序代码示例
在服务器配置中启用了安全身份传播后,EJB 客户端应用可以使用 WildFlyInitialContextFactory 来查找并调用 EJB 代理。EJB 将作为在客户端示例中验证的用户身份调用,如下所示:以下缩写的代码示例取自 JBoss EAP 7.3 附带的 ejb-security-context-propagation 快速入门:有关安全身份传播的完整工作示例,请参见 Quickstart。
若要以其他用户身份调用 EJB,您可以在上下文属性中设置 Context.SECURITY_PRINCIPAL 和 Context.SECURITY_CREDENTIALS。
示例:远程客户端
public class RemoteClient {
public static void main(String[] args) throws Exception {
// invoke the intermediate bean using the identity configured in wildfly-config.xml
invokeIntermediateBean();
// now lets programmatically setup an authentication context to switch users before invoking the intermediate bean
AuthenticationConfiguration superUser = AuthenticationConfiguration.empty().setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism("PLAIN")).
useName("superUser").usePassword("superPwd1!");
final AuthenticationContext authCtx = AuthenticationContext.empty().
with(MatchRule.ALL, superUser);
AuthenticationContext.getContextManager().setThreadDefault(authCtx);
invokeIntermediateBean();
}
private static void invokeIntermediateBean() throws Exception {
final Hashtable<String, String> jndiProperties = new Hashtable<>();
jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
jndiProperties.put(Context.PROVIDER_URL, "remote+http://localhost:8080");
final Context context = new InitialContext(jndiProperties);
IntermediateEJBRemote intermediate = (IntermediateEJBRemote) context.lookup("ejb:/ejb-security-context-propagation/IntermediateEJB!"
+ IntermediateEJBRemote.class.getName());
// Call the intermediate EJB
System.out.println(intermediate.makeRemoteCalls());
}
}示例:中间 EJB
@Stateless
@Remote(IntermediateEJBRemote.class)
@SecurityDomain("quickstart-domain")
@PermitAll
public class IntermediateEJB implements IntermediateEJBRemote {
@EJB(lookup="ejb:/ejb-security-context-propagation/SecuredEJB!org.jboss.as.quickstarts.ejb_security_context_propagation.SecuredEJBRemote")
private SecuredEJBRemote remote;
@Resource
private EJBContext context;
public String makeRemoteCalls() {
try {
StringBuilder sb = new StringBuilder("** ").
append(context.getCallerPrincipal()).
append(" * * \n\n");
sb.append("Remote Security Information: ").
append(remote.getSecurityInformation()).
append("\n");
return sb.toString();
} catch (Exception e) {
if (e instanceof RuntimeException) {
throw (RuntimeException) e;
}
throw new RuntimeException("Teasting failed.", e);
}
}
}示例:Secured EJB
@Stateless
@Remote(SecuredEJBRemote.class)
@SecurityDomain("quickstart-domain")
public class SecuredEJB implements SecuredEJBRemote {
@Resource
private SessionContext context;
@PermitAll
public String getSecurityInformation() {
StringBuilder sb = new StringBuilder("[");
sb.append("Principal=[").
append(context.getCallerPrincipal().getName()).
append("], ");
userInRole("guest", sb).append(", ");
userInRole("user", sb).append(", ");
userInRole("admin", sb).append("]");
return sb.toString();
}
}示例:wildfly-config.xml 文件
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<authentication-client xmlns="urn:elytron:client:1.2">
<authentication-rules>
<rule use-configuration="default"/>
</authentication-rules>
<authentication-configurations>
<configuration name="default">
<set-user-name name="quickstartUser"/>
<credentials>
<clear-password password="quickstartPwd1!"/>
</credentials>
<sasl-mechanism-selector selector="PLAIN"/>
<providers>
<use-service-loader />
</providers>
</configuration>
</authentication-configurations>
</authentication-client>
</configuration>
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}